Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 01:03
Behavioral task
behavioral1
Sample
715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe
Resource
win10v2004-20241007-en
General
-
Target
715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe
-
Size
841KB
-
MD5
4a667433343828c12e9c5679f707db74
-
SHA1
1ef28cff2d80369bece4b28b88beaf52342cc62a
-
SHA256
715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f
-
SHA512
c03b335895ac4a0ae9825000c4ef9d73f67e0a9475556567fdfe547ab9f03fbfa9c63a1a4db8b3cf89ddfa36b8db37d178fd3bfa3c5945519e20ef06493690b9
-
SSDEEP
24576:muS04YNEMuExDiU6E5R9s8xY/2l/df6Ibt+rH:mq4auS+UjfU2Tf6Ibt+r
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2868 WindowsInput.exe -
Loads dropped DLL 1 IoCs
pid Process 2700 715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsInput.exe 715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe File opened for modification C:\Windows\SysWOW64\WindowsInput.InstallLog WindowsInput.exe File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3008 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3008 AcroRd32.exe 3008 AcroRd32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2700 wrote to memory of 2868 2700 715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe 32 PID 2700 wrote to memory of 2868 2700 715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe 32 PID 2700 wrote to memory of 2868 2700 715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe 32 PID 2700 wrote to memory of 2868 2700 715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe 32 PID 2700 wrote to memory of 1256 2700 715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe 33 PID 2700 wrote to memory of 1256 2700 715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe 33 PID 2700 wrote to memory of 1256 2700 715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe 33 PID 2700 wrote to memory of 1256 2700 715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe 33 PID 2700 wrote to memory of 1256 2700 715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe 33 PID 2700 wrote to memory of 1256 2700 715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe 33 PID 2700 wrote to memory of 1256 2700 715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe 33 PID 1256 wrote to memory of 3008 1256 rundll32.exe 34 PID 1256 wrote to memory of 3008 1256 rundll32.exe 34 PID 1256 wrote to memory of 3008 1256 rundll32.exe 34 PID 1256 wrote to memory of 3008 1256 rundll32.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe"C:\Users\Admin\AppData\Local\Temp\715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2868
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows.old\WINDOWS2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Windows.old\WINDOWS"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3008
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD569339aa2b7229574a0219592f5968bc3
SHA11d1b4c2fc4bfa8014922c4c33925631ef1e04e9b
SHA256c6a8a5db9fb43c31bdeae1176aeac3f56d6bad630f59469b95e9655048928b8f
SHA5129030704300c8214c6a8b1863abdcd9bae5bb558c884521ba192368b4cf2956d4072f1e6d7a52b5981753648a16284b3fa40ef9263d9a6d13e8ebaf2f28a41d11
-
Filesize
841KB
MD54a667433343828c12e9c5679f707db74
SHA11ef28cff2d80369bece4b28b88beaf52342cc62a
SHA256715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f
SHA512c03b335895ac4a0ae9825000c4ef9d73f67e0a9475556567fdfe547ab9f03fbfa9c63a1a4db8b3cf89ddfa36b8db37d178fd3bfa3c5945519e20ef06493690b9
-
Filesize
224B
MD5e469dda91ae810a1f94c96060f3f8a65
SHA10b4b3b0f6f937016b1e045ce5313ee2a65a38630
SHA256d42fee8db8eb0e047ca53ad59b1c9bc69fe04993be36fec502e3532371908842
SHA5122eb4037361c03e195c642a53f55a3182a6df19903db503060e366f2394750e64ae04fdaace61ef5a6dba649defc88322d78edd2928bc53ebd1ce11d68cc88dac
-
Filesize
597B
MD5c2291863df7c2d3038ce3c22fa276506
SHA17b7d2bc07a6c35523807342c747c9b6a19f3184e
SHA25614504199bede3f46129969dbd2b7680f2e5b7fcd73a3e427ce1bb6217a6d13da
SHA51200bf40174a67e3e663d18a887c5b461a1e5ead0b27f0a139d87969158c58f4ca72cfa5a731dda239356192ca4cb5ac6ae2b0e37401d534e686cabacd3cbee8fa
-
Filesize
21KB
MD5e854a4636afc652b320e12e50ba4080e
SHA18a4ac6ecc22ee5f3a8ec846d38b41ff18c641fdc
SHA25694b9c78c6fa2bf61fba20a08ad4563f7dd2f5668c28eff227965ce0a2032d5d5
SHA51230aabd5079b6ed0948eb70fd18e9166096e4ba5d1d47fc35b7270f931d19bbe6cd929b6010f70297bf5272dc5a79e2523721354d211c4080d68ad8d17e316118