Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:33
Static task
static1
Behavioral task
behavioral1
Sample
7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe
Resource
win10v2004-20241007-en
General
-
Target
7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe
-
Size
3.2MB
-
MD5
e547e76f0f4d9826d52b97c35ef3322f
-
SHA1
40598d7df8245c5ee9842003bb6761b4254ac8af
-
SHA256
7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd
-
SHA512
33128f802bee7c0fb98ba4fdd194bc418ee17a83c5ae37ab4d02b39ac448fba776cd51c2e8ec2ba1fd947bb1e23724c3cf7f5615fd24e5a4abe8d4cddaa2e3b9
-
SSDEEP
49152:98jKMvDBNjvsJRYKg2lr+N+Hx99OF1mBwNBeN2t+uxUAj49WIxF:gKMvDBBvsJGt2lr+NSYMGeEgUUbW0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
pfsgc.exepid process 440 pfsgc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
pfsgc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skqyealh = "C:\\Windows\\dxxmuvdll\\pfsgc.exe" pfsgc.exe -
Processes:
resource yara_rule behavioral2/memory/1384-0-0x00000000025E0000-0x00000000025EB000-memory.dmp upx behavioral2/memory/1384-1-0x00000000025E0000-0x00000000025EB000-memory.dmp upx behavioral2/memory/440-16-0x0000000000A50000-0x0000000000A5B000-memory.dmp upx behavioral2/memory/440-12-0x0000000000A50000-0x0000000000A5B000-memory.dmp upx -
Drops file in Windows directory 6 IoCs
Processes:
7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exepfsgc.exedescription ioc process File opened for modification C:\Windows\dxxmuvdll\pfsgc.exe 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe File opened for modification C:\Windows\Synaptics.7z pfsgc.exe File opened for modification C:\Windows\Synaptics.rs pfsgc.exe File created C:\Windows\Synaptics.7z 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe File created C:\Windows\Synaptics.rs 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe File created C:\Windows\dxxmuvdll\pfsgc.exe 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.execmd.exetimeout.exetimeout.exepfsgc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pfsgc.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 1348 timeout.exe 2532 timeout.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exepfsgc.exepid process 1384 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe 1384 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe 440 pfsgc.exe 440 pfsgc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.execmd.exedescription pid process target process PID 1384 wrote to memory of 4224 1384 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe cmd.exe PID 1384 wrote to memory of 4224 1384 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe cmd.exe PID 1384 wrote to memory of 4224 1384 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe cmd.exe PID 4224 wrote to memory of 1348 4224 cmd.exe timeout.exe PID 4224 wrote to memory of 1348 4224 cmd.exe timeout.exe PID 4224 wrote to memory of 1348 4224 cmd.exe timeout.exe PID 4224 wrote to memory of 2532 4224 cmd.exe timeout.exe PID 4224 wrote to memory of 2532 4224 cmd.exe timeout.exe PID 4224 wrote to memory of 2532 4224 cmd.exe timeout.exe PID 4224 wrote to memory of 440 4224 cmd.exe pfsgc.exe PID 4224 wrote to memory of 440 4224 cmd.exe pfsgc.exe PID 4224 wrote to memory of 440 4224 cmd.exe pfsgc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe"C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\update.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 23⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1348 -
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2532 -
C:\Windows\dxxmuvdll\pfsgc.exe"C:\Windows\dxxmuvdll\pfsgc.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204B
MD5152003139841d58f909f8ca56fda521a
SHA196bfbe5604145b2fe44b46157779f57ca291ab31
SHA256bdb7479d8dcc715a82e7dda74a7f9679dc876eb1952fc58df6598be6be7f3a7b
SHA512c387d8cc4fa834bf72f2326794947ec22918e04cdcaab0c59291819d4398adcd25d2b0eb5895f47de6fd090e1d2fa02164cadcc22f23cdd0cd5b23a5f9b4a158
-
Filesize
96B
MD504d02ca8fb5a9059fb3f67f95529ff20
SHA1387900e985fae707bd81af35b91aabf6ada7b956
SHA256ed7af1f4475ff6498b936e0b92f69c2d5c127c2eaf4e4e4d9d5c706406016340
SHA5123004f939bd4ba8d87b116521c94298be9041b41ae9fc8929ca3ccc32a05b4aa969b5537c6364ffa8724b5e271dab298f626370437e3a43cf9dd951d7723b1c1f
-
Filesize
3.2MB
MD5e547e76f0f4d9826d52b97c35ef3322f
SHA140598d7df8245c5ee9842003bb6761b4254ac8af
SHA2567b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd
SHA51233128f802bee7c0fb98ba4fdd194bc418ee17a83c5ae37ab4d02b39ac448fba776cd51c2e8ec2ba1fd947bb1e23724c3cf7f5615fd24e5a4abe8d4cddaa2e3b9