Analysis
-
max time kernel
94s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 07:22
Static task
static1
Behavioral task
behavioral1
Sample
f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe
Resource
win10v2004-20241007-en
General
-
Target
f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe
-
Size
1.1MB
-
MD5
51b591af51c719fe45c77aefd310b748
-
SHA1
8ba7fef83fbd129616b8e94e0c489c412bd70ae3
-
SHA256
f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682
-
SHA512
da1ed6e4cc287eb264abc43793c1a44df3abc56a94db81f9182f952468304993e97a8a50f46d37e253d1f44b8bfa073c931902161c5d4532c87b9a2300f8e080
-
SSDEEP
24576:WfmMv6Ckr7Mny5Qti452VFcjvzjr0A0/1D6d:W3v+7/5Qtl52PEL/0A0/1D6d
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\subpredicate.vbs subpredicate.exe -
Executes dropped EXE 1 IoCs
pid Process 4188 subpredicate.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023ca5-5.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2256 4188 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language subpredicate.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1616 f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe 1616 f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe 4188 subpredicate.exe 4188 subpredicate.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1616 f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe 1616 f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe 4188 subpredicate.exe 4188 subpredicate.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1616 wrote to memory of 4188 1616 f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe 83 PID 1616 wrote to memory of 4188 1616 f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe 83 PID 1616 wrote to memory of 4188 1616 f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe 83 PID 4188 wrote to memory of 3068 4188 subpredicate.exe 84 PID 4188 wrote to memory of 3068 4188 subpredicate.exe 84 PID 4188 wrote to memory of 3068 4188 subpredicate.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe"C:\Users\Admin\AppData\Local\Temp\f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\meshuggenah\subpredicate.exe"C:\Users\Admin\AppData\Local\Temp\f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe"3⤵PID:3068
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 7523⤵
- Program crash
PID:2256
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4188 -ip 41881⤵PID:2380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD56079a0802e91cb9f5da4e71139ff1e79
SHA189414da06acd2285aa91a604cab3f37a733f62e1
SHA256af11511f747b4b2b353a22912449a2ab957dacf7e2854eec985a0a371c92503a
SHA512c7a9cb8d1e326e1ddea3342561b83c7a8a90aa3ad99d2b91d3b8fcc307846d378559578d666ad288eea5211de5f833009adeba37197bd601f0de5965144fac2a
-
Filesize
1.1MB
MD551b591af51c719fe45c77aefd310b748
SHA18ba7fef83fbd129616b8e94e0c489c412bd70ae3
SHA256f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682
SHA512da1ed6e4cc287eb264abc43793c1a44df3abc56a94db81f9182f952468304993e97a8a50f46d37e253d1f44b8bfa073c931902161c5d4532c87b9a2300f8e080