Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/10/2024, 02:28
Static task
static1
Behavioral task
behavioral1
Sample
72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e.exe
Resource
win10v2004-20241007-en
General
-
Target
72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e.exe
-
Size
1.1MB
-
MD5
55aebe7c9491e315b5cf0b1754cd970a
-
SHA1
0b7b1c687363a42a5a628c6fac6dc70304d32a0f
-
SHA256
72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e
-
SHA512
cfe63311113b1464549db347fead8d383cfd112d1fd20ce07ff2839408b5e1de6f109bde959b8fffa80a4e1f5a4f0d5764ce210bd23b1706062d565334068d4b
-
SSDEEP
24576:WfmMv6Ckr7Mny5QtV+1fCCVcgSdtCWniexXvWDjzUJ:W3v+7/5QtI1fCdBioqzUJ
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Lymnaeidae.vbs Lymnaeidae.exe -
Executes dropped EXE 1 IoCs
pid Process 2796 Lymnaeidae.exe -
Loads dropped DLL 1 IoCs
pid Process 2968 72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0008000000015d7f-4.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2796 set thread context of 2780 2796 Lymnaeidae.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lymnaeidae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2780 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2796 Lymnaeidae.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2780 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2968 wrote to memory of 2796 2968 72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e.exe 30 PID 2968 wrote to memory of 2796 2968 72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e.exe 30 PID 2968 wrote to memory of 2796 2968 72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e.exe 30 PID 2968 wrote to memory of 2796 2968 72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e.exe 30 PID 2796 wrote to memory of 2780 2796 Lymnaeidae.exe 31 PID 2796 wrote to memory of 2780 2796 Lymnaeidae.exe 31 PID 2796 wrote to memory of 2780 2796 Lymnaeidae.exe 31 PID 2796 wrote to memory of 2780 2796 Lymnaeidae.exe 31 PID 2796 wrote to memory of 2780 2796 Lymnaeidae.exe 31 PID 2796 wrote to memory of 2780 2796 Lymnaeidae.exe 31 PID 2796 wrote to memory of 2780 2796 Lymnaeidae.exe 31 PID 2796 wrote to memory of 2780 2796 Lymnaeidae.exe 31 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e.exe"C:\Users\Admin\AppData\Local\Temp\72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Local\contrapose\Lymnaeidae.exe"C:\Users\Admin\AppData\Local\Temp\72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e.exe"3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2780
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205KB
MD5ce70b530bf5a9e09c5060d0668d21bde
SHA19aa5fde1392b803cec335710828d92326d092caf
SHA256308e5b41746f297980dd8f0a6f8fbb68e00ea26453b147ac135a645741d07038
SHA512756e9604ff5b4360221dfcb2bc80c60f67e2504d00256a32207e6500c8b466e9c5e09558a96aeac1d59c23be6883e48419e149c93204d40fac85d3a0c73e3147
-
Filesize
1.1MB
MD555aebe7c9491e315b5cf0b1754cd970a
SHA10b7b1c687363a42a5a628c6fac6dc70304d32a0f
SHA25672a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e
SHA512cfe63311113b1464549db347fead8d383cfd112d1fd20ce07ff2839408b5e1de6f109bde959b8fffa80a4e1f5a4f0d5764ce210bd23b1706062d565334068d4b