Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-11-2024 12:05
Behavioral task
behavioral1
Sample
240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe
Resource
win7-20240903-en
General
-
Target
240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe
-
Size
317KB
-
MD5
415b52543a92106f55796f445f880750
-
SHA1
0ebd987235e5a22f132908895b1a858a4586b18b
-
SHA256
240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacd
-
SHA512
253d7ae1d158fe351da72694d182ab346c35a2923a0aa4fedd8da2a475dd741b8e31eb12cdc89074591283db3b3d11e1a36b8f35429187bdfac2e99782bda817
-
SSDEEP
3072:vSQ0EWVwZhKxC5Rt+k60Zh+qw6PYSsszfHZTZJ2lbaV2:vPA6wxmuJspr2lb6
Malware Config
Signatures
-
Andromeda family
-
Detects Andromeda payload. 2 IoCs
resource yara_rule behavioral2/memory/756-64-0x0000000000E30000-0x0000000000E35000-memory.dmp family_andromeda behavioral2/memory/756-68-0x0000000000E30000-0x0000000000E35000-memory.dmp family_andromeda -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\60662 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\mszoetdax.pif" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe -
Executes dropped EXE 3 IoCs
pid Process 1772 skyrpe.exe 4124 skyrpe.exe 3124 skyrpe.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Skype = "C:\\Users\\Admin\\AppData\\Roaming\\skype\\skyrpe.exe" reg.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum skyrpe.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 skyrpe.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1848 set thread context of 2148 1848 240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe 97 PID 1772 set thread context of 4124 1772 skyrpe.exe 105 PID 1772 set thread context of 3124 1772 skyrpe.exe 106 -
resource yara_rule behavioral2/memory/1848-0-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/1848-5-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/2148-9-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2148-11-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1848-13-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/2148-14-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/files/0x0007000000023cb5-30.dat upx behavioral2/memory/1772-37-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/1772-41-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/1772-42-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/2148-43-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1772-47-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/1772-58-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/2148-59-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4124-69-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\LOCALS~1\Temp\mszoetdax.pif svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skyrpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skyrpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skyrpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3124 skyrpe.exe 3124 skyrpe.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3124 skyrpe.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
description pid Process Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe Token: SeDebugPrivilege 4124 skyrpe.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1848 240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe 2148 240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe 1772 skyrpe.exe 4124 skyrpe.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 1848 wrote to memory of 2148 1848 240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe 97 PID 1848 wrote to memory of 2148 1848 240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe 97 PID 1848 wrote to memory of 2148 1848 240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe 97 PID 1848 wrote to memory of 2148 1848 240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe 97 PID 1848 wrote to memory of 2148 1848 240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe 97 PID 1848 wrote to memory of 2148 1848 240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe 97 PID 1848 wrote to memory of 2148 1848 240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe 97 PID 1848 wrote to memory of 2148 1848 240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe 97 PID 2148 wrote to memory of 3288 2148 240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe 98 PID 2148 wrote to memory of 3288 2148 240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe 98 PID 2148 wrote to memory of 3288 2148 240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe 98 PID 3288 wrote to memory of 4004 3288 cmd.exe 101 PID 3288 wrote to memory of 4004 3288 cmd.exe 101 PID 3288 wrote to memory of 4004 3288 cmd.exe 101 PID 2148 wrote to memory of 1772 2148 240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe 102 PID 2148 wrote to memory of 1772 2148 240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe 102 PID 2148 wrote to memory of 1772 2148 240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe 102 PID 1772 wrote to memory of 4124 1772 skyrpe.exe 105 PID 1772 wrote to memory of 4124 1772 skyrpe.exe 105 PID 1772 wrote to memory of 4124 1772 skyrpe.exe 105 PID 1772 wrote to memory of 4124 1772 skyrpe.exe 105 PID 1772 wrote to memory of 4124 1772 skyrpe.exe 105 PID 1772 wrote to memory of 4124 1772 skyrpe.exe 105 PID 1772 wrote to memory of 4124 1772 skyrpe.exe 105 PID 1772 wrote to memory of 4124 1772 skyrpe.exe 105 PID 1772 wrote to memory of 3124 1772 skyrpe.exe 106 PID 1772 wrote to memory of 3124 1772 skyrpe.exe 106 PID 1772 wrote to memory of 3124 1772 skyrpe.exe 106 PID 1772 wrote to memory of 3124 1772 skyrpe.exe 106 PID 1772 wrote to memory of 3124 1772 skyrpe.exe 106 PID 1772 wrote to memory of 3124 1772 skyrpe.exe 106 PID 3124 wrote to memory of 756 3124 skyrpe.exe 107 PID 3124 wrote to memory of 756 3124 skyrpe.exe 107 PID 3124 wrote to memory of 756 3124 skyrpe.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe"C:\Users\Admin\AppData\Local\Temp\240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe"C:\Users\Admin\AppData\Local\Temp\240174d446dcde189dff27555ee0fe34620e482e0fc7e3b92f8b7261c6c3dacdN.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYCQG.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Skype" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4004
-
-
-
C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4124
-
-
C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe5⤵
- Adds policy Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:756
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139B
MD50654f004b2e314bad7f75867e91da37d
SHA14232c22e7340b12108d86e3cb35ed288a3dbc7f1
SHA256ead325a060300a9606a3f0f14694be39a3e4006a60c6c3eb0bea5d6f98192249
SHA512dda135cdfca90a742d42b4c7a5e7f5df6580ec428302a8f0c311f5b92eb08dda75774e0c7497110faffbe2dfa02b30d2dfe35ec2848a275f53be8d930c7aa553
-
Filesize
317KB
MD5de8c96f643e0d7296dce6a2415c3c385
SHA12e937fc42eff719cc096638737bf93ca9b15b2a3
SHA25653c72f2b613e00ef0eac69738ac8ab59b717e4cc91b35b5fc687ce8d4c74fab8
SHA5129ddbcafe11115e8ad50eaa26af945d4513052852d1bacb5cc52fe926116feeea70028e2102992f210430ec193a08020632a8bcbbc62653560fc78fe78b90a728