Analysis
-
max time kernel
20s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 15:55
Behavioral task
behavioral1
Sample
307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe
Resource
win7-20240903-en
General
-
Target
307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe
-
Size
574KB
-
MD5
84dc9e5f85faf4b3a38813e35e289450
-
SHA1
d5b5eaa57b1bacedaec44723b5f3340936a800dc
-
SHA256
307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbe
-
SHA512
ba3a40df870d0aba3987ee4f2993728fba4b69c8ef3661ca34945c068c343abcaf362716c21da4df122d267c1910b862e6208e53b08175c9291f77f0447eee7a
-
SSDEEP
6144:XV55pRPQdrFhbEhtVacLaN//2gWF6lxcg/I:XDDGdDbEh/a3tw
Malware Config
Signatures
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools chkmon32.exe -
Executes dropped EXE 1 IoCs
pid Process 2548 chkmon32.exe -
Loads dropped DLL 2 IoCs
pid Process 2332 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe 2332 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\chkmon32.exe 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe File opened for modification C:\Windows\SysWOW64\chkmon32.exe 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe File created C:\Windows\SysWOW64\chkmon32.exe chkmon32.exe -
resource yara_rule behavioral1/memory/2332-0-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral1/files/0x000a00000001227e-4.dat upx behavioral1/memory/2332-12-0x0000000000490000-0x00000000004D8000-memory.dmp upx behavioral1/memory/2548-14-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral1/memory/2332-15-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral1/memory/2548-17-0x0000000000400000-0x0000000000448000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2332 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe 2332 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe 2332 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe 2548 chkmon32.exe 2332 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe 2548 chkmon32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2548 2332 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe 30 PID 2332 wrote to memory of 2548 2332 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe 30 PID 2332 wrote to memory of 2548 2332 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe 30 PID 2332 wrote to memory of 2548 2332 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe"C:\Users\Admin\AppData\Local\Temp\307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe"1⤵
- Looks for VMWare Tools registry key
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\chkmon32.exeC:\Windows\system32\chkmon32.exe2⤵
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
595KB
MD59eaa68fd35fe16a5cf760189f2672629
SHA1b45a4a4b7433c2cc92e4fc9a78dcb254b010c50b
SHA256de348e95a91804fa618e1a978cb99f5af91dbdf3449c5445ee003ad5cb01c8dd
SHA512f54ea16aba07dd41e437fba2fcd676490cb45258021131c18b6bf71cb213530baf02632b505cc717f7f8717b01b40c582031b5db9f66b25e101ba2538abf83bd