Analysis
-
max time kernel
95s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2024, 09:11
Static task
static1
Behavioral task
behavioral1
Sample
89cfe67f5db79acfcddfeebe0f984252780a6108b4a425bf878574a3efce6f83.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
89cfe67f5db79acfcddfeebe0f984252780a6108b4a425bf878574a3efce6f83.exe
Resource
win10v2004-20241007-en
General
-
Target
89cfe67f5db79acfcddfeebe0f984252780a6108b4a425bf878574a3efce6f83.exe
-
Size
1.3MB
-
MD5
3033de305199a2dfa2ae15a067686fce
-
SHA1
0359e5dcbd476e7375eb4bf2c7d1e15c98dea27e
-
SHA256
89cfe67f5db79acfcddfeebe0f984252780a6108b4a425bf878574a3efce6f83
-
SHA512
ba30241dc4cf660f059cd8e536db0a433ca875ce1d29e02c00cf0d8a569777b05ede0692fddb3d6f0adf26b4b6ea348d8f8eae96037140f25ea6ed3d3c7c7856
-
SSDEEP
24576:Qtb20pkaCqT5TBWgNQ7aySqc44ZcsvHk6A:ZVg5tQ7aySDvY5
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\surmit.vbs surmit.exe -
Executes dropped EXE 1 IoCs
pid Process 1276 surmit.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0002000000022efc-9.dat autoit_exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5052 1276 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89cfe67f5db79acfcddfeebe0f984252780a6108b4a425bf878574a3efce6f83.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language surmit.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3096 wrote to memory of 1276 3096 89cfe67f5db79acfcddfeebe0f984252780a6108b4a425bf878574a3efce6f83.exe 86 PID 3096 wrote to memory of 1276 3096 89cfe67f5db79acfcddfeebe0f984252780a6108b4a425bf878574a3efce6f83.exe 86 PID 3096 wrote to memory of 1276 3096 89cfe67f5db79acfcddfeebe0f984252780a6108b4a425bf878574a3efce6f83.exe 86 PID 1276 wrote to memory of 3492 1276 surmit.exe 87 PID 1276 wrote to memory of 3492 1276 surmit.exe 87 PID 1276 wrote to memory of 3492 1276 surmit.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\89cfe67f5db79acfcddfeebe0f984252780a6108b4a425bf878574a3efce6f83.exe"C:\Users\Admin\AppData\Local\Temp\89cfe67f5db79acfcddfeebe0f984252780a6108b4a425bf878574a3efce6f83.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Users\Admin\AppData\Local\Gammexane\surmit.exe"C:\Users\Admin\AppData\Local\Temp\89cfe67f5db79acfcddfeebe0f984252780a6108b4a425bf878574a3efce6f83.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\89cfe67f5db79acfcddfeebe0f984252780a6108b4a425bf878574a3efce6f83.exe"3⤵PID:3492
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 7123⤵
- Program crash
PID:5052
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1276 -ip 12761⤵PID:1392
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD53033de305199a2dfa2ae15a067686fce
SHA10359e5dcbd476e7375eb4bf2c7d1e15c98dea27e
SHA25689cfe67f5db79acfcddfeebe0f984252780a6108b4a425bf878574a3efce6f83
SHA512ba30241dc4cf660f059cd8e536db0a433ca875ce1d29e02c00cf0d8a569777b05ede0692fddb3d6f0adf26b4b6ea348d8f8eae96037140f25ea6ed3d3c7c7856