Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 04:54
Behavioral task
behavioral1
Sample
9dfd9c951f243a2b233e1c3550bb769dc516ba0b933474595383ee7ae1d2cb1eN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9dfd9c951f243a2b233e1c3550bb769dc516ba0b933474595383ee7ae1d2cb1eN.exe
Resource
win10v2004-20241007-en
General
-
Target
9dfd9c951f243a2b233e1c3550bb769dc516ba0b933474595383ee7ae1d2cb1eN.exe
-
Size
59KB
-
MD5
d441db7f8d53a25cc5c6c54b973778a0
-
SHA1
fef8d33d97a5dea872b87e4704d3f1a4da9a4c97
-
SHA256
9dfd9c951f243a2b233e1c3550bb769dc516ba0b933474595383ee7ae1d2cb1e
-
SHA512
92d8fd36e4a9941fcf25e20aabd31f3db7c1a4d6ec377b04bd7ec34c724585549e341022a5faa86f3655830d015dc543d01350b37719a46137fd97cbe969e47c
-
SSDEEP
1536:3+ZgwRdiE8cO4p1xRjfTvSq5r3ZiIZ4nouy8uh1aQT:OeodiUO4p13b9HiIeoutuh1aQT
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2028 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2184 AhnSvc.exe -
Loads dropped DLL 2 IoCs
pid Process 1392 9dfd9c951f243a2b233e1c3550bb769dc516ba0b933474595383ee7ae1d2cb1eN.exe 1392 9dfd9c951f243a2b233e1c3550bb769dc516ba0b933474595383ee7ae1d2cb1eN.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AhnUpadate = "\"C:\\ProgramData\\AhnLab\\AhnSvc.exe\" /run" 9dfd9c951f243a2b233e1c3550bb769dc516ba0b933474595383ee7ae1d2cb1eN.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
resource yara_rule behavioral1/memory/1392-0-0x0000000000FC0000-0x0000000000FE7000-memory.dmp upx behavioral1/files/0x000c0000000145b3-2.dat upx behavioral1/memory/2184-11-0x0000000000A70000-0x0000000000A97000-memory.dmp upx behavioral1/memory/1392-12-0x0000000000FC0000-0x0000000000FE7000-memory.dmp upx behavioral1/memory/2184-14-0x0000000000A70000-0x0000000000A97000-memory.dmp upx behavioral1/memory/2184-18-0x0000000000A70000-0x0000000000A97000-memory.dmp upx behavioral1/memory/1392-22-0x0000000000FC0000-0x0000000000FE7000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dfd9c951f243a2b233e1c3550bb769dc516ba0b933474595383ee7ae1d2cb1eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1392 9dfd9c951f243a2b233e1c3550bb769dc516ba0b933474595383ee7ae1d2cb1eN.exe Token: SeDebugPrivilege 2184 AhnSvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1392 wrote to memory of 2184 1392 9dfd9c951f243a2b233e1c3550bb769dc516ba0b933474595383ee7ae1d2cb1eN.exe 28 PID 1392 wrote to memory of 2184 1392 9dfd9c951f243a2b233e1c3550bb769dc516ba0b933474595383ee7ae1d2cb1eN.exe 28 PID 1392 wrote to memory of 2184 1392 9dfd9c951f243a2b233e1c3550bb769dc516ba0b933474595383ee7ae1d2cb1eN.exe 28 PID 1392 wrote to memory of 2184 1392 9dfd9c951f243a2b233e1c3550bb769dc516ba0b933474595383ee7ae1d2cb1eN.exe 28 PID 1392 wrote to memory of 2028 1392 9dfd9c951f243a2b233e1c3550bb769dc516ba0b933474595383ee7ae1d2cb1eN.exe 31 PID 1392 wrote to memory of 2028 1392 9dfd9c951f243a2b233e1c3550bb769dc516ba0b933474595383ee7ae1d2cb1eN.exe 31 PID 1392 wrote to memory of 2028 1392 9dfd9c951f243a2b233e1c3550bb769dc516ba0b933474595383ee7ae1d2cb1eN.exe 31 PID 1392 wrote to memory of 2028 1392 9dfd9c951f243a2b233e1c3550bb769dc516ba0b933474595383ee7ae1d2cb1eN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\9dfd9c951f243a2b233e1c3550bb769dc516ba0b933474595383ee7ae1d2cb1eN.exe"C:\Users\Admin\AppData\Local\Temp\9dfd9c951f243a2b233e1c3550bb769dc516ba0b933474595383ee7ae1d2cb1eN.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\ProgramData\AhnLab\AhnSvc.exe"C:\ProgramData\AhnLab\AhnSvc.exe" /run2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\9dfd9c951f243a2b233e1c3550bb769dc516ba0b933474595383ee7ae1d2cb1eN.exe" >> NUL2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
59KB
MD5d9615edf9e93a4ad2204ba24349f633e
SHA105ecc75b6c9664950d9140fbc815fc9619477de6
SHA256da0e491bb35b9e1908c6a4df7e76ef1cde139cf3460616fb628cba05f32334ca
SHA5127c920e05e6d1693e9186ed004f68c5bc34d48b89062dc042997c47fcb7732e9a24cbce8b89b534e239d9693e8c1b61474b8cb896c9248fc0bde3895b9f4b9a42