Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 20:58
Static task
static1
Behavioral task
behavioral1
Sample
3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe
Resource
win10v2004-20241007-en
General
-
Target
3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe
-
Size
116KB
-
MD5
6e183629c2bd4a87ca1a6e3af04f6710
-
SHA1
43746b80ddb45db4c4aadb4b848d39c0271519c9
-
SHA256
3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6
-
SHA512
978da7c1b51bece810018f999fb90e0a8174c96c6c66c7d611eb627228bca1e3ce7fc45d94c644da3565d857131d4734af0cbd4cb572ae69050971de60288f8f
-
SSDEEP
768:66eHIMgPRVUUC151Npquv3RnFKE7pGnbcuyD7UTTE:6Fo5U5bLpXRkPnouy8k
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2820 trys.exe -
Loads dropped DLL 5 IoCs
pid Process 2692 3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe 2692 3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe 2692 3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe 2692 3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe 2692 3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ineter Mc = "C:\\Users\\Admin\\AppData\\Roaming\\trys.exe" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language trys.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe Token: SeDebugPrivilege 2820 trys.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2692 3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe 2820 trys.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2692 wrote to memory of 2192 2692 3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe 30 PID 2692 wrote to memory of 2192 2692 3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe 30 PID 2692 wrote to memory of 2192 2692 3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe 30 PID 2692 wrote to memory of 2192 2692 3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe 30 PID 2192 wrote to memory of 2756 2192 cmd.exe 32 PID 2192 wrote to memory of 2756 2192 cmd.exe 32 PID 2192 wrote to memory of 2756 2192 cmd.exe 32 PID 2192 wrote to memory of 2756 2192 cmd.exe 32 PID 2692 wrote to memory of 2820 2692 3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe 33 PID 2692 wrote to memory of 2820 2692 3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe 33 PID 2692 wrote to memory of 2820 2692 3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe 33 PID 2692 wrote to memory of 2820 2692 3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe"C:\Users\Admin\AppData\Local\Temp\3ccb0991d432d131459fa814c1e9b20435e187b440abb82227434073cd148ff6N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BMSXJ.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Ineter Mc" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\trys.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2756
-
-
-
C:\Users\Admin\AppData\Roaming\trys.exe"C:\Users\Admin\AppData\Roaming\trys.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2820
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135B
MD56dbb2090ff90500da05a027765cde190
SHA1425b833d9d1df8d6df6e5a59f738058808271949
SHA25671ca0761f7187f2164f62b23d5d9d2dcfd28d9ab9a8dfc14796c3ac06db03881
SHA5127e4679e04bd5a69c026949a0d2760a630bc02249a04f3bd224dee41d1bf10f0a29e45812a67c583327a63e5401f0ff2aa9a3f4df8233b150943052c97e861ab3
-
Filesize
116KB
MD5944c92a2b7e9edc18335293a13611aa9
SHA1202d459819f6d36f5638f42bfa61bb26320511c0
SHA25622d17918b221715955451db38bfbc36128b912b966f7182e4acee7daa76d3302
SHA512f7b69815a6fa3ecc86b33ffa0d57ba332c885c498b25a2a69f37b9ac6f28f0c72f4a84e4c5934bd1470a73ad2c0574b3bcfad87962db18d9396becd33a7664f2