Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-10-2024 09:16
Static task
static1
Behavioral task
behavioral1
Sample
d9c7beeacdac2aae5d8c675556bfaae9.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d9c7beeacdac2aae5d8c675556bfaae9.exe
Resource
win10v2004-20241007-en
General
-
Target
d9c7beeacdac2aae5d8c675556bfaae9.exe
-
Size
1.9MB
-
MD5
d9c7beeacdac2aae5d8c675556bfaae9
-
SHA1
b1c2dd3bd27624a8aa310cbb481b9a64fdbaf921
-
SHA256
7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6
-
SHA512
498d3d7053cfb612cc91dc44483ab38431eb694a6aed2613b1d9ad9d90db89001e68fa07ead050fa56bbaa957276f9eea9fb985051d059df4553c66cde130e98
-
SSDEEP
49152:3rLGA8M9iYz45FWeYTZxTUxXpKg+fmjcozmKxS:65FWBTZxYxJo
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
d9c7beeacdac2aae5d8c675556bfaae9.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pigalicapi = "C:\\Users\\Admin\\pigalicapi.exe" d9c7beeacdac2aae5d8c675556bfaae9.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
d9c7beeacdac2aae5d8c675556bfaae9.exedescription pid Process procid_target PID 2916 set thread context of 4108 2916 d9c7beeacdac2aae5d8c675556bfaae9.exe 97 -
Processes:
resource yara_rule behavioral2/memory/4108-227-0x0000000004000000-0x000000000408E000-memory.dmp upx behavioral2/memory/4108-226-0x0000000004000000-0x000000000408E000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d9c7beeacdac2aae5d8c675556bfaae9.exesvchost.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d9c7beeacdac2aae5d8c675556bfaae9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
d9c7beeacdac2aae5d8c675556bfaae9.exepid Process 2916 d9c7beeacdac2aae5d8c675556bfaae9.exe 2916 d9c7beeacdac2aae5d8c675556bfaae9.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
d9c7beeacdac2aae5d8c675556bfaae9.exedescription pid Process procid_target PID 2916 wrote to memory of 4108 2916 d9c7beeacdac2aae5d8c675556bfaae9.exe 97 PID 2916 wrote to memory of 4108 2916 d9c7beeacdac2aae5d8c675556bfaae9.exe 97 PID 2916 wrote to memory of 4108 2916 d9c7beeacdac2aae5d8c675556bfaae9.exe 97 PID 2916 wrote to memory of 4108 2916 d9c7beeacdac2aae5d8c675556bfaae9.exe 97 PID 2916 wrote to memory of 4108 2916 d9c7beeacdac2aae5d8c675556bfaae9.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9c7beeacdac2aae5d8c675556bfaae9.exe"C:\Users\Admin\AppData\Local\Temp\d9c7beeacdac2aae5d8c675556bfaae9.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- System Location Discovery: System Language Discovery
PID:4108
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3756129449-3121373848-4276368241-1000\c5d8393293ce2ba62f117b2c2d55bc3e_a63d6fdc-08cb-4232-ab51-76cafdcb4d96
Filesize1KB
MD5e51ebfdde7f6e52eb7f403bc97c522e4
SHA1773d4721ed2ffae43bf54f7df4d49c9bdf90527e
SHA2568e0a760382e1f76eba351ef5d5bb2a7cfa622722836975c3fcc5bacc5f31c13c
SHA512633563e0ee8f59726a595b8cfdf3f8837acc1153bc3124e7034cf0c4ac714c4be75a4a01a14fca81af294045401e7c8a5d9fa4be978605d464aee01331d48b6d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3756129449-3121373848-4276368241-1000\c5d8393293ce2ba62f117b2c2d55bc3e_a63d6fdc-08cb-4232-ab51-76cafdcb4d96
Filesize1KB
MD58742c9c752f84dff58e96a9c1cde0585
SHA1bfcdafb10274a2292e2b31dce8d19b62f828e619
SHA256f683b2f1b5e4ba4879e8adadafc9b4998c180f75f52be98e2e5fc61fb7d18aa4
SHA5127213f204ea97bddaac1ef3c8c0426f9346de45ecfb03c1fa2fc8ed3665499dabf3da94827c287ee588b48e417d24ffee541b5600985fb751c932e8e391ab2204
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3756129449-3121373848-4276368241-1000\c5d8393293ce2ba62f117b2c2d55bc3e_a63d6fdc-08cb-4232-ab51-76cafdcb4d96
Filesize62B
MD560806f4f110a6f85831390dafbb98385
SHA19e27b0bad5f13310a1db8a0c155b3ad7c6b6e446
SHA256219d1a0d4109122414a4ef1b17d392652e94e7492b490ec6ff33ef553d125a4d
SHA512b56bf9de49451eded9debd004a8fd187e6af54a87ef8a1647b6d2f169fc8ef45fd5c6b118f46a4f587bb7f05a170d10cef80211a22d90612a7b6792d7494b6f2