Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-10-2024 09:16
Static task
static1
Behavioral task
behavioral1
Sample
d9c7beeacdac2aae5d8c675556bfaae9.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d9c7beeacdac2aae5d8c675556bfaae9.exe
Resource
win10v2004-20241007-en
General
-
Target
d9c7beeacdac2aae5d8c675556bfaae9.exe
-
Size
1.9MB
-
MD5
d9c7beeacdac2aae5d8c675556bfaae9
-
SHA1
b1c2dd3bd27624a8aa310cbb481b9a64fdbaf921
-
SHA256
7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6
-
SHA512
498d3d7053cfb612cc91dc44483ab38431eb694a6aed2613b1d9ad9d90db89001e68fa07ead050fa56bbaa957276f9eea9fb985051d059df4553c66cde130e98
-
SSDEEP
49152:3rLGA8M9iYz45FWeYTZxTUxXpKg+fmjcozmKxS:65FWBTZxYxJo
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
d9c7beeacdac2aae5d8c675556bfaae9.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\pigalicapi = "C:\\Users\\Admin\\pigalicapi.exe" d9c7beeacdac2aae5d8c675556bfaae9.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
d9c7beeacdac2aae5d8c675556bfaae9.exedescription pid process target process PID 1884 set thread context of 1164 1884 d9c7beeacdac2aae5d8c675556bfaae9.exe svchost.exe -
Processes:
resource yara_rule behavioral1/memory/1164-250-0x0000000004000000-0x000000000408E000-memory.dmp upx behavioral1/memory/1164-249-0x0000000004000000-0x000000000408E000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
svchost.exed9c7beeacdac2aae5d8c675556bfaae9.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d9c7beeacdac2aae5d8c675556bfaae9.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
d9c7beeacdac2aae5d8c675556bfaae9.exepid process 1884 d9c7beeacdac2aae5d8c675556bfaae9.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d9c7beeacdac2aae5d8c675556bfaae9.exedescription pid process target process PID 1884 wrote to memory of 1164 1884 d9c7beeacdac2aae5d8c675556bfaae9.exe svchost.exe PID 1884 wrote to memory of 1164 1884 d9c7beeacdac2aae5d8c675556bfaae9.exe svchost.exe PID 1884 wrote to memory of 1164 1884 d9c7beeacdac2aae5d8c675556bfaae9.exe svchost.exe PID 1884 wrote to memory of 1164 1884 d9c7beeacdac2aae5d8c675556bfaae9.exe svchost.exe PID 1884 wrote to memory of 1164 1884 d9c7beeacdac2aae5d8c675556bfaae9.exe svchost.exe PID 1884 wrote to memory of 1164 1884 d9c7beeacdac2aae5d8c675556bfaae9.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9c7beeacdac2aae5d8c675556bfaae9.exe"C:\Users\Admin\AppData\Local\Temp\d9c7beeacdac2aae5d8c675556bfaae9.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- System Location Discovery: System Language Discovery
PID:1164
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\c5d8393293ce2ba62f117b2c2d55bc3e_38b42d9b-3e83-45f4-8789-a30be34574b0
Filesize1KB
MD5ac88c88d3a5734bdfe1d1929d5aae29f
SHA190a61c80432d64e01ddc853a9d3081210a96f2d8
SHA2565513ba8333d8e7594d662b6717ed6067c82f3c0f63dbec9978ef3dbf9ac5b258
SHA512e7e09ee37484edc6482807145aece048bbba1ca39e6edda4e6e62072e2c1da5fa0c35ff29c50e19793ee8b7550db1389878d20f69e43928acd9883bd6ae93ed1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\c5d8393293ce2ba62f117b2c2d55bc3e_38b42d9b-3e83-45f4-8789-a30be34574b0
Filesize1KB
MD5d53f00c36f7d919887fe10948d86ff31
SHA1a7129c3238539be78ba83a2b7080af04fcb0eb0c
SHA2565a3fdcf011502154443a82ea7b45bde15d5188f94265f9a070c8cb3a5648d8cf
SHA512087637a750e0e19b7e94fb7fd9487fc72218dacadc7b7e56de32e398a13660aa63af8649b283c8e7a332dd1871ed2b4f71d63e32b5a6c01571072d5ef3b456df
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\c5d8393293ce2ba62f117b2c2d55bc3e_38b42d9b-3e83-45f4-8789-a30be34574b0
Filesize62B
MD560806f4f110a6f85831390dafbb98385
SHA19e27b0bad5f13310a1db8a0c155b3ad7c6b6e446
SHA256219d1a0d4109122414a4ef1b17d392652e94e7492b490ec6ff33ef553d125a4d
SHA512b56bf9de49451eded9debd004a8fd187e6af54a87ef8a1647b6d2f169fc8ef45fd5c6b118f46a4f587bb7f05a170d10cef80211a22d90612a7b6792d7494b6f2