Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 15:34
Static task
static1
Behavioral task
behavioral1
Sample
2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe
Resource
win10v2004-20241007-en
General
-
Target
2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe
-
Size
524KB
-
MD5
088da2d6bac46c6d2df6c6c29e28b170
-
SHA1
a7ce89dc0265d52ba26727ceed4a9102511d7e0d
-
SHA256
2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628
-
SHA512
f813d4e4e46233b4edccf41c1a891b82059251d59b7341ced80bd623bc4f53d6f4057eb3436bbdf12e67c210c77a1efa0ac73f0f3216510abbc6ca8afe2a67ad
-
SSDEEP
12288:LLS65eo7WOcg3kXaD5Ny6+KW78FCjIwQpe:LLS65eKWOpkXaLy6OECXQpe
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2476 WindowsService.exe 444 WindowsService.exe -
Loads dropped DLL 5 IoCs
pid Process 980 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 980 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 980 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 980 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 980 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsService = "C:\\Users\\Admin\\AppData\\Roaming\\SystemWindowsWindowsService\\WindowsService.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2532 set thread context of 980 2532 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 30 PID 2476 set thread context of 444 2476 WindowsService.exe 36 PID 2476 set thread context of 0 2476 WindowsService.exe -
resource yara_rule behavioral1/memory/980-298-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/980-340-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/444-612-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/980-619-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/444-621-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsService.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe Token: SeDebugPrivilege 444 WindowsService.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2532 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 980 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 2476 WindowsService.exe 444 WindowsService.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2532 wrote to memory of 980 2532 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 30 PID 2532 wrote to memory of 980 2532 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 30 PID 2532 wrote to memory of 980 2532 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 30 PID 2532 wrote to memory of 980 2532 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 30 PID 2532 wrote to memory of 980 2532 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 30 PID 2532 wrote to memory of 980 2532 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 30 PID 2532 wrote to memory of 980 2532 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 30 PID 2532 wrote to memory of 980 2532 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 30 PID 980 wrote to memory of 2180 980 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 31 PID 980 wrote to memory of 2180 980 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 31 PID 980 wrote to memory of 2180 980 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 31 PID 980 wrote to memory of 2180 980 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 31 PID 2180 wrote to memory of 1624 2180 cmd.exe 33 PID 2180 wrote to memory of 1624 2180 cmd.exe 33 PID 2180 wrote to memory of 1624 2180 cmd.exe 33 PID 2180 wrote to memory of 1624 2180 cmd.exe 33 PID 980 wrote to memory of 2476 980 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 34 PID 980 wrote to memory of 2476 980 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 34 PID 980 wrote to memory of 2476 980 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 34 PID 980 wrote to memory of 2476 980 2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe 34 PID 2476 wrote to memory of 444 2476 WindowsService.exe 36 PID 2476 wrote to memory of 444 2476 WindowsService.exe 36 PID 2476 wrote to memory of 444 2476 WindowsService.exe 36 PID 2476 wrote to memory of 444 2476 WindowsService.exe 36 PID 2476 wrote to memory of 444 2476 WindowsService.exe 36 PID 2476 wrote to memory of 444 2476 WindowsService.exe 36 PID 2476 wrote to memory of 444 2476 WindowsService.exe 36 PID 2476 wrote to memory of 444 2476 WindowsService.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe"C:\Users\Admin\AppData\Local\Temp\2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe"C:\Users\Admin\AppData\Local\Temp\2ddb90ba6fcd210c02903afbb47630523d4661d4b0069bfd3386abfbef34e628N.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\HDYCP.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsService" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindowsWindowsService\WindowsService.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1624
-
-
-
C:\Users\Admin\AppData\Roaming\SystemWindowsWindowsService\WindowsService.exe"C:\Users\Admin\AppData\Roaming\SystemWindowsWindowsService\WindowsService.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Admin\AppData\Roaming\SystemWindowsWindowsService\WindowsService.exe"C:\Users\Admin\AppData\Roaming\SystemWindowsWindowsService\WindowsService.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:444
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
178B
MD5c2cc427c87f0a6e231266dbb4d5b6ac5
SHA1e0849fc705f915d218b2dc2f744bb24157022355
SHA2561b985a6f00b15b5eb13fd2b9c79f163e2c3ed1b8d4133e08f213dc6dc7850999
SHA512be4d6b172b0c92d1ffa33b30c642db3ccbda637af92234853918ef5e3c6c40121ec10c42557c96ddbc234d0d539c47c6c5adc8bf4c77e9daf8204661215a8e37
-
Filesize
524KB
MD58bf79d0710d6051f67bd3e9a400e7210
SHA106bbd0c668da2f88df7fa397cec014f9a4ea4b57
SHA25658265b56e3429d0981df3ba159dd479de9824a946fb67dabf35ecef512d29573
SHA512c07078997a1582d163177d167e49b84ecff717a190b0d699db01856ebdf8e641423bca8b550343d71d85e0d71e6c2259b2fba793e1774660027b0bf6ff3dbb85