Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 13:53
Static task
static1
Behavioral task
behavioral1
Sample
ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe
Resource
win10v2004-20241007-en
General
-
Target
ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe
-
Size
665KB
-
MD5
4c0c38e7fad334322adc74c33eb50ac0
-
SHA1
d0706bfa6dab31f79f7cbe6265569e8b1184dbdb
-
SHA256
ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0
-
SHA512
5542d4f78b1af871ab097fc2caeaeb84fb82064a73e7da94cb9d613a10e1442c924358c15f5b5fd6128eba75312096c3a66170ff087bfadaa5c9d46013e60523
-
SSDEEP
12288:3Z8nkF9oy1ADvMKdhAS0jjLz7hoo3RpEcvALALdt/xBot/FcEic/3IWVscSfVo8o:3Z8nkF9oySiLz72ooSru/so3V9xmFXA
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3048 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2748 service.exe 2616 service.exe -
Loads dropped DLL 3 IoCs
pid Process 2428 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 2428 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 2748 service.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\System Service Application = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe" service.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1852 set thread context of 2428 1852 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 28 PID 2748 set thread context of 2616 2748 service.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 service.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz service.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1852 wrote to memory of 2428 1852 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 28 PID 1852 wrote to memory of 2428 1852 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 28 PID 1852 wrote to memory of 2428 1852 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 28 PID 1852 wrote to memory of 2428 1852 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 28 PID 1852 wrote to memory of 2428 1852 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 28 PID 1852 wrote to memory of 2428 1852 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 28 PID 1852 wrote to memory of 2428 1852 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 28 PID 1852 wrote to memory of 2428 1852 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 28 PID 2428 wrote to memory of 3048 2428 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 29 PID 2428 wrote to memory of 3048 2428 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 29 PID 2428 wrote to memory of 3048 2428 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 29 PID 2428 wrote to memory of 3048 2428 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 29 PID 2428 wrote to memory of 2748 2428 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 31 PID 2428 wrote to memory of 2748 2428 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 31 PID 2428 wrote to memory of 2748 2428 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 31 PID 2428 wrote to memory of 2748 2428 ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe 31 PID 2748 wrote to memory of 2616 2748 service.exe 32 PID 2748 wrote to memory of 2616 2748 service.exe 32 PID 2748 wrote to memory of 2616 2748 service.exe 32 PID 2748 wrote to memory of 2616 2748 service.exe 32 PID 2748 wrote to memory of 2616 2748 service.exe 32 PID 2748 wrote to memory of 2616 2748 service.exe 32 PID 2748 wrote to memory of 2616 2748 service.exe 32 PID 2748 wrote to memory of 2616 2748 service.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe"C:\Users\Admin\AppData\Local\Temp\ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe"C:\Users\Admin\AppData\Local\Temp\ac6a274f5fde714dfd8bba9e46bb724861e4b406ea132d119e2e872d0b58abd0N.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\remove13241.bat" "3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:3048
-
-
C:\Users\Admin\AppData\Local\Temp\service.exe"C:\Users\Admin\AppData\Local\Temp\service.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\service.exe"C:\Users\Admin\AppData\Local\Temp\service.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2616
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
668KB
MD586ca0bc25c34d43750812b3a12a762aa
SHA195bb483eeae9544cac093963d24412ef4883f26d
SHA256448f60b053d0c1ff8975b95e09d9267a3a492a7ca514359069e3cb97f53f3dc6
SHA5122a3794ae9890fd69374c3ff44291a2b6aa430ff9410a0762f619165a7281dc98ad4709aac65286fb9e90b25bdf60b8e688fb5693545cac5e20b0ee99652ea271
-
Filesize
51B
MD5cac6c9c44b7ba77569037004849f4d6d
SHA16bdf754cf0bb144e17ffd703663e4c5801598317
SHA256745528a15bf44f5504e5a1a27a5397e70dd6b1790093928f730a181e74776835
SHA512a38711de27f0ca7a3f0673f3fdc16e1aa20e7828b7db16041d6307e7c68f3ef78ee3e007754f98a4ff113f99ec1b32ffece6e16a7dfdae3e1a287e009b9fa114
-
Filesize
269B
MD56c6503303985b1ff09b979223e9b682c
SHA11172ca8d6ced99fe023e0de563e8ac36608e197d
SHA25685d657a903ab6a6b8d226e273ba311b0c58074a7d3b01a0d402dfbf5910c9a43
SHA5121d9ffffe6ac051b85852190228e687351dd275d1f0e0478826735699992646ee2b6f7bb79c0712ea274e68fe3606c8af14dfd292421c9c2fbbc68b03398fdad3