Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:41
Static task
static1
Behavioral task
behavioral1
Sample
1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe
Resource
win10v2004-20241007-en
General
-
Target
1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe
-
Size
100KB
-
MD5
d4f8e25b60088eff3ef72ddea78cab20
-
SHA1
d6e3bc4df6334410855a6264e781ad1d61dedd99
-
SHA256
1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ff
-
SHA512
ab68a775493b071ee86249239a0311ec253311dea50def683886e6c47428b5bcb91a566f60a88d7ec91d4ecba27311f47d355eeb751459cef2905b708e7140bc
-
SSDEEP
3072:v6IkG9sxKkvWr2h95bTcZz5oqJ7gb3a3+X13XRzT:v5kG9mK2OJE7aOl3BzT
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
Processes:
1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe -
Berbew family
-
Executes dropped EXE 1 IoCs
Processes:
Cacacg32.exepid process 2712 Cacacg32.exe -
Loads dropped DLL 6 IoCs
Processes:
1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exeWerFault.exepid process 2824 1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe 2824 1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe 2800 WerFault.exe 2800 WerFault.exe 2800 WerFault.exe 2800 WerFault.exe -
Drops file in System32 directory 3 IoCs
Processes:
1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Cacacg32.exe 1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe File created C:\Windows\SysWOW64\Fdlpjk32.dll 1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe File created C:\Windows\SysWOW64\Cacacg32.exe 1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2800 2712 WerFault.exe Cacacg32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Cacacg32.exe1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacacg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe -
Modifies registry class 6 IoCs
Processes:
1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll" 1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exeCacacg32.exedescription pid process target process PID 2824 wrote to memory of 2712 2824 1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe Cacacg32.exe PID 2824 wrote to memory of 2712 2824 1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe Cacacg32.exe PID 2824 wrote to memory of 2712 2824 1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe Cacacg32.exe PID 2824 wrote to memory of 2712 2824 1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe Cacacg32.exe PID 2712 wrote to memory of 2800 2712 Cacacg32.exe WerFault.exe PID 2712 wrote to memory of 2800 2712 Cacacg32.exe WerFault.exe PID 2712 wrote to memory of 2800 2712 Cacacg32.exe WerFault.exe PID 2712 wrote to memory of 2800 2712 Cacacg32.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe"C:\Users\Admin\AppData\Local\Temp\1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Cacacg32.exeC:\Windows\system32\Cacacg32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1403⤵
- Loads dropped DLL
- Program crash
PID:2800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD507b018a1c0b0be36cd553e8ac1ed0b22
SHA1e6c0e15e4b448e35f754521b272ab43752817421
SHA256820be018abe5d279b86e5efc4902ba098930d6f5f18291d23f430ff1871082c2
SHA5124090b3b14ac5e9ab8ac980608e1c0d1fa448aca3801561c8bd3eede28ec2a04e26265352a5d2ea3780b49f3f0cbaae6e766e692f8f2742b6f62d0842ed0a5be1