Analysis
-
max time kernel
18s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 20:57
Static task
static1
Behavioral task
behavioral1
Sample
6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe
Resource
win10v2004-20241007-en
General
-
Target
6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe
-
Size
53KB
-
MD5
e116f26057aa6eee6f1aa5b7fc09b2e0
-
SHA1
aab7ef204866eb4e19ab7176905f44c4cdbfcf3e
-
SHA256
6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903
-
SHA512
76d11323041e06ef1c430c1dcdda20fd7518087c057d02cea6bf12f5b4f5d62dd8ffbab365a55d862e9ff5ca99c534ffd1c91f8163f5722b65ec6f2a497257b8
-
SSDEEP
1536:bN8g8r8QoeXKn7Kp3StjEMjmLM3ztDJWZsXy4JzxPM0:oXKnJJjmLM3zRJWZsXy4J9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2156 ketiz.exe -
Loads dropped DLL 7 IoCs
pid Process 2860 6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe 2860 6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe 2052 WerFault.exe 2052 WerFault.exe 2052 WerFault.exe 2052 WerFault.exe 2052 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2072 2860 WerFault.exe 27 2052 2156 WerFault.exe 28 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ketiz.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2860 6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe 2156 ketiz.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2860 wrote to memory of 2156 2860 6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe 28 PID 2860 wrote to memory of 2156 2860 6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe 28 PID 2860 wrote to memory of 2156 2860 6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe 28 PID 2860 wrote to memory of 2156 2860 6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe 28 PID 2860 wrote to memory of 2072 2860 6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe 29 PID 2860 wrote to memory of 2072 2860 6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe 29 PID 2860 wrote to memory of 2072 2860 6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe 29 PID 2860 wrote to memory of 2072 2860 6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe 29 PID 2156 wrote to memory of 2052 2156 ketiz.exe 30 PID 2156 wrote to memory of 2052 2156 ketiz.exe 30 PID 2156 wrote to memory of 2052 2156 ketiz.exe 30 PID 2156 wrote to memory of 2052 2156 ketiz.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe"C:\Users\Admin\AppData\Local\Temp\6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\ketiz.exe"C:\Users\Admin\ketiz.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 2803⤵
- Loads dropped DLL
- Program crash
PID:2052
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 5242⤵
- Program crash
PID:2072
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5ba8689c682bfbf1ff06d38be5801a76c
SHA1537ec49c56706bcbe4c565ea792e84e277e1b227
SHA256dde069830909ca2bf90f8909aaf0904218489f31817ec73d48d95aedd88049bd
SHA5127f118e632185878d187e374e80bb3c08ffb128f159ef7eba49d099c838a5b46585167dfe070ca9ec96b103fa26fc20d944de32d5dd5616aceae11aac1a50f7ac