Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 21:33
Static task
static1
Behavioral task
behavioral1
Sample
931ad7d69e2f29b352a13432b450c7fe7411e487693adb6151d2aa3b95f0aa6f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
931ad7d69e2f29b352a13432b450c7fe7411e487693adb6151d2aa3b95f0aa6f.exe
Resource
win10v2004-20241007-en
General
-
Target
931ad7d69e2f29b352a13432b450c7fe7411e487693adb6151d2aa3b95f0aa6f.exe
-
Size
1.1MB
-
MD5
a342c7ffae84f6d3246133fc9be6b9ad
-
SHA1
484a5eccca8f24a1aa5fc328e234bf141bb3e989
-
SHA256
931ad7d69e2f29b352a13432b450c7fe7411e487693adb6151d2aa3b95f0aa6f
-
SHA512
8da1cf5426e787c8db18b7a923b3374a091abe0485f6fa17ac37f4c8bfaca744a8bbf4ad6038c484d3efec98902ac0336de1972a0d972f4892fdfd35636b1dfd
-
SSDEEP
24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QK:acallSllG4ZM7QzMp
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 931ad7d69e2f29b352a13432b450c7fe7411e487693adb6151d2aa3b95f0aa6f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2676 931ad7d69e2f29b352a13432b450c7fe7411e487693adb6151d2aa3b95f0aa6f.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2676 931ad7d69e2f29b352a13432b450c7fe7411e487693adb6151d2aa3b95f0aa6f.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2676 931ad7d69e2f29b352a13432b450c7fe7411e487693adb6151d2aa3b95f0aa6f.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2676 931ad7d69e2f29b352a13432b450c7fe7411e487693adb6151d2aa3b95f0aa6f.exe 2676 931ad7d69e2f29b352a13432b450c7fe7411e487693adb6151d2aa3b95f0aa6f.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2676 wrote to memory of 2128 2676 931ad7d69e2f29b352a13432b450c7fe7411e487693adb6151d2aa3b95f0aa6f.exe 31 PID 2676 wrote to memory of 2128 2676 931ad7d69e2f29b352a13432b450c7fe7411e487693adb6151d2aa3b95f0aa6f.exe 31 PID 2676 wrote to memory of 2128 2676 931ad7d69e2f29b352a13432b450c7fe7411e487693adb6151d2aa3b95f0aa6f.exe 31 PID 2676 wrote to memory of 2128 2676 931ad7d69e2f29b352a13432b450c7fe7411e487693adb6151d2aa3b95f0aa6f.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\931ad7d69e2f29b352a13432b450c7fe7411e487693adb6151d2aa3b95f0aa6f.exe"C:\Users\Admin\AppData\Local\Temp\931ad7d69e2f29b352a13432b450c7fe7411e487693adb6151d2aa3b95f0aa6f.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- System Location Discovery: System Language Discovery
PID:2128
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
753B
MD56a91da6fadce814a8e96b41aa5a627c2
SHA11e18b7c5ba70177097abe0c776ce32644e28da49
SHA2563a3860ab1d3675d3b91dbb232b4eb3e182aeea4c2299fe315f2711dc0476ea86
SHA512c9c94d6363238cbe8fd5422a928f46c2f2aa16b533767ceb1d955c5fc1c94c7abd0315ae0d00bc06d0aa8cf6c767b03ea41dd08fcc8352c4813cd88495fa7073