Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 10:27
Behavioral task
behavioral1
Sample
6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe
Resource
win10v2004-20241007-en
General
-
Target
6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe
-
Size
1.3MB
-
MD5
23d0ba89b4f4f13a84f971538087cef0
-
SHA1
7e6770617f557f1a610d5c028601084dbb1d161d
-
SHA256
6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588eb
-
SHA512
772104451184784ad2c034db833fcb23c7cb350d11559ccebee6d4577e53400f9a08941cc86337b27c4e2d106366594cb360cf93c5e1564074579379d91172a8
-
SSDEEP
24576:nAD3HRNtvJ2QY6ynjTdcpLmBtMs51aoflG4/iMtQkSNSFkeKvvvvLpphd7d8ddPp:nkpBs5dlG4/i0QkSoeeKvvvvLpphd7dM
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk 6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" 6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe -
resource yara_rule behavioral1/memory/2980-0-0x0000000000400000-0x000000000054E000-memory.dmp upx behavioral1/files/0x0007000000012118-10.dat upx behavioral1/memory/2980-15-0x0000000000400000-0x000000000054E000-memory.dmp upx behavioral1/memory/2980-18-0x0000000000400000-0x000000000054E000-memory.dmp upx behavioral1/memory/2980-21-0x0000000000400000-0x000000000054E000-memory.dmp upx behavioral1/memory/2980-25-0x0000000000400000-0x000000000054E000-memory.dmp upx behavioral1/memory/2980-28-0x0000000000400000-0x000000000054E000-memory.dmp upx behavioral1/memory/2980-31-0x0000000000400000-0x000000000054E000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2980 6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe 2980 6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe 2980 6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe 2980 6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe 2980 6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe 2980 6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2980 6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2980 6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe 2980 6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2728 2980 6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe 30 PID 2980 wrote to memory of 2728 2980 6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe 30 PID 2980 wrote to memory of 2728 2980 6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe 30 PID 2980 wrote to memory of 2728 2980 6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe"C:\Users\Admin\AppData\Local\Temp\6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- System Location Discovery: System Language Discovery
PID:2728
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD50a09f354748324840a98a09a15172fb8
SHA141dc1d5cb5f99590ea7b83516be4ca616707932a
SHA25631a81ee87f0c6987d56d48ccac000d92e2a4efdb6b2f84787e9ef420d9f91c7d
SHA512f21a7c0f5f13285b5faa1fdaca04d15460d9b436eda4bb98a761bdb02b802f00c1c5727d84c97565891d317cd2dbc92ac370ecb8c248082a83a51558cd63bda8
-
Filesize
754B
MD51ad8d14bdca2c5d707f6f300e36e4eec
SHA18e1e1c7bc3c6c744a7611981b6a868901c1eca3b
SHA2567630a9b1260b8a03d7c27520e3e395797b824c4391e4ea7b8e29e1d057995cbe
SHA512a57b1aaa29a9ee63d0a584a5659518aca335705884b6d98574a873af4faf82df5e1b6b1d793ad33607a9d5540be14c17004001d9742ab66c667212fa186ad5fd
-
Filesize
1.3MB
MD5d5a4690f6c616abb87f13dc81b1c83bc
SHA15fb2f5fa4952ecd6f4729f060188503146dd6e75
SHA25651d50c5d05e5082562a4eb2001097223bf0bbb7b4421606fc9e2b6aa0b155c1c
SHA5121f3b2253b02d34cc212df96364b18dd03814af014be0d43a35abf75fe09da0b4d0e96bd6e45ee03524faac2ef4cbbf90caf784c6385ddbc3d88fbfc855f0926d