Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/10/2024, 02:28
Static task
static1
Behavioral task
behavioral1
Sample
72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e.exe
Resource
win10v2004-20241007-en
General
-
Target
72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e.exe
-
Size
1.1MB
-
MD5
55aebe7c9491e315b5cf0b1754cd970a
-
SHA1
0b7b1c687363a42a5a628c6fac6dc70304d32a0f
-
SHA256
72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e
-
SHA512
cfe63311113b1464549db347fead8d383cfd112d1fd20ce07ff2839408b5e1de6f109bde959b8fffa80a4e1f5a4f0d5764ce210bd23b1706062d565334068d4b
-
SSDEEP
24576:WfmMv6Ckr7Mny5QtV+1fCCVcgSdtCWniexXvWDjzUJ:W3v+7/5QtI1fCdBioqzUJ
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Lymnaeidae.vbs Lymnaeidae.exe -
Executes dropped EXE 1 IoCs
pid Process 4900 Lymnaeidae.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0009000000023c60-5.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4552 4900 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lymnaeidae.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3068 wrote to memory of 4900 3068 72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e.exe 87 PID 3068 wrote to memory of 4900 3068 72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e.exe 87 PID 3068 wrote to memory of 4900 3068 72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e.exe 87 PID 4900 wrote to memory of 4184 4900 Lymnaeidae.exe 88 PID 4900 wrote to memory of 4184 4900 Lymnaeidae.exe 88 PID 4900 wrote to memory of 4184 4900 Lymnaeidae.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e.exe"C:\Users\Admin\AppData\Local\Temp\72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\contrapose\Lymnaeidae.exe"C:\Users\Admin\AppData\Local\Temp\72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\72a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e.exe"3⤵PID:4184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 7403⤵
- Program crash
PID:4552
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4900 -ip 49001⤵PID:208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD555aebe7c9491e315b5cf0b1754cd970a
SHA10b7b1c687363a42a5a628c6fac6dc70304d32a0f
SHA25672a8825bde9fb1600cb085e11d2b59a2b11e3c027c301fb789791e2552bda42e
SHA512cfe63311113b1464549db347fead8d383cfd112d1fd20ce07ff2839408b5e1de6f109bde959b8fffa80a4e1f5a4f0d5764ce210bd23b1706062d565334068d4b