Analysis

  • max time kernel
    18s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 20:57

General

  • Target

    6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe

  • Size

    53KB

  • MD5

    e116f26057aa6eee6f1aa5b7fc09b2e0

  • SHA1

    aab7ef204866eb4e19ab7176905f44c4cdbfcf3e

  • SHA256

    6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903

  • SHA512

    76d11323041e06ef1c430c1dcdda20fd7518087c057d02cea6bf12f5b4f5d62dd8ffbab365a55d862e9ff5ca99c534ffd1c91f8163f5722b65ec6f2a497257b8

  • SSDEEP

    1536:bN8g8r8QoeXKn7Kp3StjEMjmLM3ztDJWZsXy4JzxPM0:oXKnJJjmLM3zRJWZsXy4J9

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe
    "C:\Users\Admin\AppData\Local\Temp\6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Users\Admin\ketiz.exe
      "C:\Users\Admin\ketiz.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 280
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2052
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 524
      2⤵
      • Program crash
      PID:2072

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Users\Admin\ketiz.exe

          Filesize

          53KB

          MD5

          ba8689c682bfbf1ff06d38be5801a76c

          SHA1

          537ec49c56706bcbe4c565ea792e84e277e1b227

          SHA256

          dde069830909ca2bf90f8909aaf0904218489f31817ec73d48d95aedd88049bd

          SHA512

          7f118e632185878d187e374e80bb3c08ffb128f159ef7eba49d099c838a5b46585167dfe070ca9ec96b103fa26fc20d944de32d5dd5616aceae11aac1a50f7ac

        • memory/2156-16-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

        • memory/2156-25-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

        • memory/2860-0-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

        • memory/2860-15-0x0000000003830000-0x0000000003842000-memory.dmp

          Filesize

          72KB

        • memory/2860-14-0x0000000003830000-0x0000000003842000-memory.dmp

          Filesize

          72KB

        • memory/2860-26-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB