Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 13:49

General

  • Target

    4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe

  • Size

    49KB

  • MD5

    23199494a158a78e1a1f926752ea9952

  • SHA1

    5f9957054a0d69568d818b625cc8605b0dfc497c

  • SHA256

    4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74

  • SHA512

    af3bda0090d4fda542cad1974833d92dfbaf2dbe6e8d075c516869f81e3e8860d40048c647005d8415e3fcac0d10e78bb0f5b7846d2f3580ac658ec35b1fbfe4

  • SSDEEP

    768:Sv4MEc04ZzLh3VtAghWjg8qstaNC7WlH8VTrf7AshVN/OE/:SwMEcVLh3QghuGCqV8V3zhb/

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs .reg file with regedit 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe
    "C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s C:\Users\Admin\AppData\Local\Temp\259465511.reg
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • System Location Discovery: System Language Discovery
      • Runs .reg file with regedit
      PID:2724
    • C:\Windows\SysWOW64\WinHelp11.exe
      C:\Windows\system32\WinHelp11.exe kowdgjttgC:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s C:\Users\Admin\AppData\Local\Temp\259465683.reg
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:2684
      • C:\Windows\SysWOW64\WinHelp83.exe
        C:\Windows\system32\WinHelp83.exe kowdgjttgC:\Windows\SysWOW64\WinHelp11.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3012
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          4⤵
            PID:2856

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\259465511.reg

            Filesize

            384B

            MD5

            d88165fa73fcdcd831f495f80122ba27

            SHA1

            a189c398ddbc091fde42449a5186a55f7119a425

            SHA256

            41bfbe7838def590d7ee882062c84fb9f2802375bd176a0a3bb4a5f3d027b890

            SHA512

            4228185d45db7a77de1ab4277a827d5e9af6fdd8a987422a5aba0ba089d8010519225f7223a783c927b41c2b9b866c7de4bb1e4bfd78dfb59b453d095d41f523

          • C:\Users\Admin\AppData\Local\Temp\259465683.reg

            Filesize

            384B

            MD5

            633ee34fa6a139e369ac9821ef9f7fc7

            SHA1

            0e3b1edee11bfda878ef1b62f11b1b6790a45a9b

            SHA256

            6655ccc737d9739fefbea2271b979acead3c216153d930d4611ac4d7efc16684

            SHA512

            290e57510cd276ce2e00695905e6c81ebf2bd3cc8f09943f6b52682e464dd77669ddc4d2af089754a3a2d7a5b8dd5c090aa1d5da70b3595656591b5050b62de6

          • C:\Windows\SysWOW64\WinHelp11.exe

            Filesize

            50KB

            MD5

            0a711131a951e2d88fe251864494fe0c

            SHA1

            409b0163e4f78d2fa5d96e3c0783dcc5e45fcbe3

            SHA256

            26babc2779fdea05e48f55223717ef64552eae7b20ebb332216a4bd75abd51e5

            SHA512

            04276781a9ba16fd55e2c1fd91a4dc54d9d54372a74463b0e538f4c2d2ca56c092285f663ab3a11d6e3670fc69d689a186dec28722c2b84f6393446aad029a63

          • C:\Windows\SysWOW64\WinHelp83.exe

            Filesize

            50KB

            MD5

            be33c28723e079887106406e61abcde1

            SHA1

            8fbb5fb57749424f49a903dad9c67075f9ab9ebe

            SHA256

            09444457c7129c5a12f7b8af9c73e89f1a615140ae1260b6c248d855e05c2980

            SHA512

            fd3b86426c1de33d793d6956cd1e77dfb69ce382ddef3b6eb23b7f5b3b669e8cd6c4aa0f217000d65abeab986384a7101819af6a1bbed643e3b3e60af2eb4911

          • memory/2008-1-0x0000000013152000-0x000000001315F000-memory.dmp

            Filesize

            52KB

          • memory/2736-11-0x0000000013150000-0x00000000131669F4-memory.dmp

            Filesize

            90KB

          • memory/2856-24-0x0000000013150000-0x0000000013167000-memory.dmp

            Filesize

            92KB

          • memory/2856-25-0x0000000013150000-0x0000000013167000-memory.dmp

            Filesize

            92KB