Analysis
-
max time kernel
132s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-10-2024 11:20
Static task
static1
Behavioral task
behavioral1
Sample
ef962b6dc96472a374447fc8c2e4409c44532d1a446646f3dcd262b95143d0cb.exe
Resource
win7-20240903-en
General
-
Target
ef962b6dc96472a374447fc8c2e4409c44532d1a446646f3dcd262b95143d0cb.exe
-
Size
1.0MB
-
MD5
019a689dcc5128d85718bd043197b311
-
SHA1
dfed1ea66306d5f8e5e6ac4d6b91b06e4adfeb0b
-
SHA256
ef962b6dc96472a374447fc8c2e4409c44532d1a446646f3dcd262b95143d0cb
-
SHA512
6cd55fe3d4c830845317dc9d02783b5616f65f2e10864c52518d75af66f57b02f7d1975bc125cfe916168418a19337960eaa9485622ca8f70da5884b83b09d61
-
SSDEEP
24576:4WAq81e5JEJFQWvtYG7KddInBz87zqNI++9rY/2uOM/dnuVtfO:8bevEJOWvt37KddIn5872+9M/2JM/dnh
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2928 Windows Update.exe -
Executes dropped EXE 1 IoCs
pid Process 2928 Windows Update.exe -
Loads dropped DLL 2 IoCs
pid Process 2212 ef962b6dc96472a374447fc8c2e4409c44532d1a446646f3dcd262b95143d0cb.exe 1264 dw20.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com 7 whatismyipaddress.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef962b6dc96472a374447fc8c2e4409c44532d1a446646f3dcd262b95143d0cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dw20.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2928 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2928 Windows Update.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2928 2212 ef962b6dc96472a374447fc8c2e4409c44532d1a446646f3dcd262b95143d0cb.exe 30 PID 2212 wrote to memory of 2928 2212 ef962b6dc96472a374447fc8c2e4409c44532d1a446646f3dcd262b95143d0cb.exe 30 PID 2212 wrote to memory of 2928 2212 ef962b6dc96472a374447fc8c2e4409c44532d1a446646f3dcd262b95143d0cb.exe 30 PID 2212 wrote to memory of 2928 2212 ef962b6dc96472a374447fc8c2e4409c44532d1a446646f3dcd262b95143d0cb.exe 30 PID 2212 wrote to memory of 2928 2212 ef962b6dc96472a374447fc8c2e4409c44532d1a446646f3dcd262b95143d0cb.exe 30 PID 2212 wrote to memory of 2928 2212 ef962b6dc96472a374447fc8c2e4409c44532d1a446646f3dcd262b95143d0cb.exe 30 PID 2212 wrote to memory of 2928 2212 ef962b6dc96472a374447fc8c2e4409c44532d1a446646f3dcd262b95143d0cb.exe 30 PID 2928 wrote to memory of 1264 2928 Windows Update.exe 33 PID 2928 wrote to memory of 1264 2928 Windows Update.exe 33 PID 2928 wrote to memory of 1264 2928 Windows Update.exe 33 PID 2928 wrote to memory of 1264 2928 Windows Update.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef962b6dc96472a374447fc8c2e4409c44532d1a446646f3dcd262b95143d0cb.exe"C:\Users\Admin\AppData\Local\Temp\ef962b6dc96472a374447fc8c2e4409c44532d1a446646f3dcd262b95143d0cb.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 10283⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1264
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD5430b441662ed99584f62648022a20bed
SHA1d16c4994a2d5e0c5349ae1cbc741ee505dc59ec8
SHA256532662d3325a638b2a24f9e685b8787b2a528247bff4f6cbf5416a673dbd411b
SHA512a4a8ddb9c1a33268a649029f8b2254091825635e7d03ed4c70fdf48e28ee2bc5a17986fdd6530a86f6b5741f22d3c3b0a2a3efb5183b2253f7bef4cc7b0c3ce6
-
Filesize
1.0MB
MD5019a689dcc5128d85718bd043197b311
SHA1dfed1ea66306d5f8e5e6ac4d6b91b06e4adfeb0b
SHA256ef962b6dc96472a374447fc8c2e4409c44532d1a446646f3dcd262b95143d0cb
SHA5126cd55fe3d4c830845317dc9d02783b5616f65f2e10864c52518d75af66f57b02f7d1975bc125cfe916168418a19337960eaa9485622ca8f70da5884b83b09d61