Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 02:02
Static task
static1
Behavioral task
behavioral1
Sample
7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6.exe
Resource
win10v2004-20241007-en
General
-
Target
7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6.exe
-
Size
1.9MB
-
MD5
d9c7beeacdac2aae5d8c675556bfaae9
-
SHA1
b1c2dd3bd27624a8aa310cbb481b9a64fdbaf921
-
SHA256
7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6
-
SHA512
498d3d7053cfb612cc91dc44483ab38431eb694a6aed2613b1d9ad9d90db89001e68fa07ead050fa56bbaa957276f9eea9fb985051d059df4553c66cde130e98
-
SSDEEP
49152:3rLGA8M9iYz45FWeYTZxTUxXpKg+fmjcozmKxS:65FWBTZxYxJo
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\pigalicapi = "C:\\Users\\Admin\\pigalicapi.exe" 7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6.exedescription pid process target process PID 2292 set thread context of 1744 2292 7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6.exe svchost.exe -
Processes:
resource yara_rule behavioral1/memory/1744-246-0x0000000004000000-0x000000000408E000-memory.dmp upx behavioral1/memory/1744-245-0x0000000004000000-0x000000000408E000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6.exepid process 2292 7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6.exedescription pid process target process PID 2292 wrote to memory of 1744 2292 7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6.exe svchost.exe PID 2292 wrote to memory of 1744 2292 7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6.exe svchost.exe PID 2292 wrote to memory of 1744 2292 7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6.exe svchost.exe PID 2292 wrote to memory of 1744 2292 7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6.exe svchost.exe PID 2292 wrote to memory of 1744 2292 7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6.exe svchost.exe PID 2292 wrote to memory of 1744 2292 7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6.exe"C:\Users\Admin\AppData\Local\Temp\7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- System Location Discovery: System Language Discovery
PID:1744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2039016743-699959520-214465309-1000\c5d8393293ce2ba62f117b2c2d55bc3e_d58f30ce-7498-4544-8c46-d67b11e386bc
Filesize1KB
MD5b5efc03f2cfe53f3594e094d8edf6352
SHA19fcc07157cd78da2fbfaf342be16f1d23edefcb6
SHA256cc4f8283d23de7293378d0be6d1e2b1defcb4b1bcabc6ca94c32cd3477e8c8a7
SHA51201f841b8ea47f0457d35a00235aaf734394cfa60544671dc89c00981e99761f3307d6bee4fa763c64888ef260c50dd10026813b550628f994069b4be0b03ccd7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2039016743-699959520-214465309-1000\c5d8393293ce2ba62f117b2c2d55bc3e_d58f30ce-7498-4544-8c46-d67b11e386bc
Filesize1KB
MD52ad36f4e2c703a839ee4bb9dc03135a4
SHA1c4d5813f547af70e0624dccf7f817ce492444704
SHA25629af7aa9c0815299cde9f40c2ffd2235ea18d848ac1f60306367710d7ad9fde4
SHA512ced0974221a399f224c86229fab8f33c1335084735dba6f677d72a1002a325b2a9d56b5018a9265ec57343bc30444088bb6fb08aaf29c883e4131a2c7a3e0e05
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2039016743-699959520-214465309-1000\c5d8393293ce2ba62f117b2c2d55bc3e_d58f30ce-7498-4544-8c46-d67b11e386bc
Filesize62B
MD560806f4f110a6f85831390dafbb98385
SHA19e27b0bad5f13310a1db8a0c155b3ad7c6b6e446
SHA256219d1a0d4109122414a4ef1b17d392652e94e7492b490ec6ff33ef553d125a4d
SHA512b56bf9de49451eded9debd004a8fd187e6af54a87ef8a1647b6d2f169fc8ef45fd5c6b118f46a4f587bb7f05a170d10cef80211a22d90612a7b6792d7494b6f2