Analysis
-
max time kernel
106s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:33
Static task
static1
Behavioral task
behavioral1
Sample
7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe
Resource
win10v2004-20241007-en
General
-
Target
7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe
-
Size
3.2MB
-
MD5
e547e76f0f4d9826d52b97c35ef3322f
-
SHA1
40598d7df8245c5ee9842003bb6761b4254ac8af
-
SHA256
7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd
-
SHA512
33128f802bee7c0fb98ba4fdd194bc418ee17a83c5ae37ab4d02b39ac448fba776cd51c2e8ec2ba1fd947bb1e23724c3cf7f5615fd24e5a4abe8d4cddaa2e3b9
-
SSDEEP
49152:98jKMvDBNjvsJRYKg2lr+N+Hx99OF1mBwNBeN2t+uxUAj49WIxF:gKMvDBBvsJGt2lr+NSYMGeEgUUbW0
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2864 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
pdcosw.exepid process 2840 pdcosw.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2864 cmd.exe 2864 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
pdcosw.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fihspepz = "C:\\Program Files (x86)\\rvsolbevkh\\pdcosw.exe" pdcosw.exe -
Processes:
resource yara_rule behavioral1/memory/2904-0-0x0000000000260000-0x000000000026B000-memory.dmp upx behavioral1/memory/2904-1-0x0000000000260000-0x000000000026B000-memory.dmp upx behavioral1/memory/2840-22-0x0000000000350000-0x000000000035B000-memory.dmp upx behavioral1/memory/2840-18-0x0000000000350000-0x000000000035B000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
Processes:
7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exedescription ioc process File created C:\Program Files (x86)\rvsolbevkh\pdcosw.exe 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe File opened for modification C:\Program Files (x86)\rvsolbevkh\pdcosw.exe 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe -
Drops file in Windows directory 4 IoCs
Processes:
pdcosw.exe7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exedescription ioc process File opened for modification C:\Windows\Synaptics.7z pdcosw.exe File opened for modification C:\Windows\Synaptics.rs pdcosw.exe File created C:\Windows\Synaptics.7z 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe File created C:\Windows\Synaptics.rs 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
timeout.exepdcosw.exe7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.execmd.exetimeout.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdcosw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 2996 timeout.exe 2096 timeout.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pdcosw.exepid process 2840 pdcosw.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exepdcosw.exepid process 2904 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe 2904 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe 2840 pdcosw.exe 2840 pdcosw.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.execmd.exedescription pid process target process PID 2904 wrote to memory of 2864 2904 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe cmd.exe PID 2904 wrote to memory of 2864 2904 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe cmd.exe PID 2904 wrote to memory of 2864 2904 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe cmd.exe PID 2904 wrote to memory of 2864 2904 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe cmd.exe PID 2904 wrote to memory of 2864 2904 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe cmd.exe PID 2904 wrote to memory of 2864 2904 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe cmd.exe PID 2904 wrote to memory of 2864 2904 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe cmd.exe PID 2864 wrote to memory of 2996 2864 cmd.exe timeout.exe PID 2864 wrote to memory of 2996 2864 cmd.exe timeout.exe PID 2864 wrote to memory of 2996 2864 cmd.exe timeout.exe PID 2864 wrote to memory of 2996 2864 cmd.exe timeout.exe PID 2864 wrote to memory of 2096 2864 cmd.exe timeout.exe PID 2864 wrote to memory of 2096 2864 cmd.exe timeout.exe PID 2864 wrote to memory of 2096 2864 cmd.exe timeout.exe PID 2864 wrote to memory of 2096 2864 cmd.exe timeout.exe PID 2864 wrote to memory of 2840 2864 cmd.exe pdcosw.exe PID 2864 wrote to memory of 2840 2864 cmd.exe pdcosw.exe PID 2864 wrote to memory of 2840 2864 cmd.exe pdcosw.exe PID 2864 wrote to memory of 2840 2864 cmd.exe pdcosw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe"C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\update.bat2⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 23⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2996 -
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2096 -
C:\Program Files (x86)\rvsolbevkh\pdcosw.exe"C:\Program Files (x86)\rvsolbevkh\pdcosw.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218B
MD5755ae2509932ae47b07c7b96b3ea41bf
SHA18b27354184939c4483d0c07bc0b067af13617e9f
SHA256e326773bedbc28e66842933901c9a277960dbf17e4cdf40465bbd39e14701b0f
SHA512e4cbff4b674d3e72efdd3e949b1ddff681b60c9f9999f3767101fb189e349fbf2b3fd9c2c5242090863257c441294127f12615a49353f2ff551ee61366f69ad5
-
Filesize
320B
MD53ce00833d4427d727d98f8f4105ad476
SHA1119e9267eb9e33346fd3344024619c9edc42c43d
SHA2560188fec66b72b38273b934e4f3c91b9e713d21f6aaac1ca012a69e956e5b1cc8
SHA512913e1207043a4e46261d9de697d2e10580ad276b1b17ddd166ece0583e6f251607e59881006afbe43795b68ea0bb2c967b4b78797ce195d21d28491a733aeea1
-
Filesize
320B
MD5ea29a928121503e9659a143a41bcc81a
SHA1bb39d03bbd600d6ffdb9b763797493eaccd61f64
SHA256e90a70e3fd28c4b44e1e3c5e2fd6993e31f1821cefd305a227393c9fb9013a13
SHA51252119eb71742b63f215443389d3e39148131ca5ba0b3675b27c7ecf297fabb5b0ac80bc8a5f609482afb30778e5ffc7ce590815500e1c752eee807446e25c399
-
Filesize
3.2MB
MD5e547e76f0f4d9826d52b97c35ef3322f
SHA140598d7df8245c5ee9842003bb6761b4254ac8af
SHA2567b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd
SHA51233128f802bee7c0fb98ba4fdd194bc418ee17a83c5ae37ab4d02b39ac448fba776cd51c2e8ec2ba1fd947bb1e23724c3cf7f5615fd24e5a4abe8d4cddaa2e3b9