Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 11:01
Behavioral task
behavioral1
Sample
227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe
Resource
win10v2004-20241007-en
General
-
Target
227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe
-
Size
558KB
-
MD5
7b401ce98de7fc8a35db7082daf129e0
-
SHA1
3d76246c44151ab0b44c05e45efdcd9b73678966
-
SHA256
227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2a
-
SHA512
bac3099833dcd8d2a044036136aefcf2cab3700736bd176f59356fc5ff1c214ff01b2156d4740885b09c5d676c5418ae75a789f672cbf47b9dbfb18682827bdc
-
SSDEEP
12288:/1+vKnoA0cdoIl9jmDBJ4Uh2DEq/51r575VPFlY5n9Vo:9+vg0HU9EP4UheEq/B7XcA
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe -
Loads dropped DLL 2 IoCs
pid Process 2064 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 2064 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe -
resource yara_rule behavioral1/memory/2064-0-0x0000000000400000-0x0000000000551000-memory.dmp upx behavioral1/files/0x000c00000001202c-11.dat upx behavioral1/memory/2064-18-0x0000000000400000-0x0000000000551000-memory.dmp upx behavioral1/memory/2064-24-0x0000000000400000-0x0000000000551000-memory.dmp upx behavioral1/memory/2064-27-0x0000000000400000-0x0000000000551000-memory.dmp upx behavioral1/memory/2064-31-0x0000000000400000-0x0000000000551000-memory.dmp upx behavioral1/memory/2064-34-0x0000000000400000-0x0000000000551000-memory.dmp upx behavioral1/memory/2064-37-0x0000000000400000-0x0000000000551000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2064 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 2064 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 2064 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 2064 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 2064 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 2064 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2064 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2064 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 2064 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2064 wrote to memory of 1948 2064 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 30 PID 2064 wrote to memory of 1948 2064 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 30 PID 2064 wrote to memory of 1948 2064 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 30 PID 2064 wrote to memory of 1948 2064 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe"C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- System Location Discovery: System Language Discovery
PID:1948
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD584f8f4fb96538c8eb808e2488a64871b
SHA1533d741ba3f31b62b83a91baac5c75914e4a37af
SHA2560636c5bb460f3c6d7c58656ea9805560cd2bd78c08b6b26a3a7aa13b43c22a3e
SHA512e1f2b1ce21ca5755e9c353722ecb8190d51c951c46bd0929fd0a775280043dd51de2c6d0d50546ee777f68c23ceebecbf52ea60a152fda437547cdee5fe860e0
-
Filesize
754B
MD5c021b067fbdde54e68c1b2d963ea52fe
SHA123d49e83d849e8b6e41d4b673eb8540ae3d7f5b9
SHA256cb6b6496217c51f0a2e87b6230d239a44729d9f7e4355bb5544737a997374cf8
SHA51228b2d9d97cb8e0d96134177da6e051686e0e63a672e52db28513028aec029e2cf8f6b6b5f1818d647fa313c079f95d73ab7742754030f7ece8b647406ec1f6c9
-
Filesize
558KB
MD569ee7fb4d9a6f974c0d93cfe8d00f231
SHA192b20fc3b6f992d8c62f2bc2431ad36ec07a0824
SHA256202b09ce7b30895b4ab10a1503364769293dab7cbe42d946249d6306b9417873
SHA51210920d416d1681b108aa7e9630e7fc85f2990bb85704017ab6b9e0ce11f7bb5eec0874566d689f9a3c9ffb725c730f278540850b27182a46f1ed01f18b1466c4