Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 15:50
Static task
static1
Behavioral task
behavioral1
Sample
80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe
Resource
win10v2004-20241007-en
General
-
Target
80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe
-
Size
424KB
-
MD5
427f77d8ed22b8e092aa5b06578d9300
-
SHA1
6fa46ca549b8f52f21f769b4e19e5f8dd4a9ba57
-
SHA256
80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67
-
SHA512
89bd0577ed9b989c7792214de584255d600550638cddcc4194ec5160abc2b5c48745dac2c9623a27964a0807436e3d68d774565d69f65c984f8ac46ceeee0b89
-
SSDEEP
12288:v16h5mf3I2iwDzgn3Y5h6sriJdtt9ryg4Wr2:vQXa3Kw/gnShktt9WJo2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2288 nLjFmIn06300.exe -
Loads dropped DLL 2 IoCs
pid Process 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nLjFmIn06300 = "C:\\ProgramData\\nLjFmIn06300\\nLjFmIn06300.exe" nLjFmIn06300.exe -
resource yara_rule behavioral1/memory/2068-5-0x0000000000400000-0x00000000004B3000-memory.dmp upx behavioral1/memory/2068-3-0x0000000000400000-0x00000000004B3000-memory.dmp upx behavioral1/memory/2068-1-0x0000000000400000-0x00000000004B3000-memory.dmp upx behavioral1/memory/2068-6-0x0000000000400000-0x00000000004B3000-memory.dmp upx behavioral1/memory/2288-24-0x0000000000400000-0x00000000004B3000-memory.dmp upx behavioral1/memory/2068-28-0x0000000000400000-0x00000000004B3000-memory.dmp upx behavioral1/memory/2288-30-0x0000000000400000-0x00000000004B3000-memory.dmp upx behavioral1/memory/2288-38-0x0000000000400000-0x00000000004B3000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nLjFmIn06300.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main nLjFmIn06300.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2288 nLjFmIn06300.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2288 nLjFmIn06300.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2288 nLjFmIn06300.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2288 nLjFmIn06300.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2288 nLjFmIn06300.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2288 nLjFmIn06300.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2288 nLjFmIn06300.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2288 nLjFmIn06300.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2288 nLjFmIn06300.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2288 nLjFmIn06300.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2288 nLjFmIn06300.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2288 nLjFmIn06300.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2288 nLjFmIn06300.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2288 nLjFmIn06300.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2288 nLjFmIn06300.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2288 nLjFmIn06300.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2288 nLjFmIn06300.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2288 nLjFmIn06300.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2288 nLjFmIn06300.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2288 nLjFmIn06300.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2288 nLjFmIn06300.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2288 nLjFmIn06300.exe 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2288 nLjFmIn06300.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe Token: SeDebugPrivilege 2288 nLjFmIn06300.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2288 nLjFmIn06300.exe 2288 nLjFmIn06300.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2288 nLjFmIn06300.exe 2288 nLjFmIn06300.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2288 nLjFmIn06300.exe 2288 nLjFmIn06300.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2068 wrote to memory of 2288 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 30 PID 2068 wrote to memory of 2288 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 30 PID 2068 wrote to memory of 2288 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 30 PID 2068 wrote to memory of 2288 2068 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe"C:\Users\Admin\AppData\Local\Temp\80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\ProgramData\nLjFmIn06300\nLjFmIn06300.exe"C:\ProgramData\nLjFmIn06300\nLjFmIn06300.exe" "C:\Users\Admin\AppData\Local\Temp\80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2288
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
424KB
MD5738910a2344632f408260f06e63a1757
SHA1177c126be19d855b78f0721e0685913824d38164
SHA25695df4d76caf3b76c397b514d3444c9df32af0c5c35a04caafa2c222c9d44e008
SHA512be24a1238331c0c65216513244371955958abb9a94ab4aa8db7a629d3a048cef9b660a8bd7750121cf3226e93deb4c72945370f30571cbd8cb95f3a15a32ec8c