Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 01:12
Static task
static1
Behavioral task
behavioral1
Sample
7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe
Resource
win10v2004-20241007-en
General
-
Target
7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe
-
Size
358KB
-
MD5
fb4ea6c1c46a9a16d442b879c0dfb908
-
SHA1
ac54284d5a8600fcfc3b6f6a1252534911acf082
-
SHA256
7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8
-
SHA512
c1c0c12d2d28bb64a02ade682124d87bddf4a92369c29e5f5eed278f9c30525bd49a0f1704930767b5e83fb71e864a47fd2c436a4d3b7a8ed4030859c61e07a3
-
SSDEEP
6144:MxtLQ+SM/E+f8SzAmWeTyCREZErp/z6JnIYEYDQco30hzWRlRGUzt:MfLQ+lz8+RRTyCu06JnIYj7BWRP
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1548 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2112 wrote to memory of 1548 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 30 PID 2112 wrote to memory of 1548 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 30 PID 2112 wrote to memory of 1548 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 30 PID 2112 wrote to memory of 1548 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 30 PID 2112 wrote to memory of 2120 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 32 PID 2112 wrote to memory of 2120 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 32 PID 2112 wrote to memory of 2120 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 32 PID 2112 wrote to memory of 2120 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 32 PID 2112 wrote to memory of 2064 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 33 PID 2112 wrote to memory of 2064 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 33 PID 2112 wrote to memory of 2064 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 33 PID 2112 wrote to memory of 2064 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 33 PID 2112 wrote to memory of 2052 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 34 PID 2112 wrote to memory of 2052 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 34 PID 2112 wrote to memory of 2052 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 34 PID 2112 wrote to memory of 2052 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 34 PID 2112 wrote to memory of 1264 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 35 PID 2112 wrote to memory of 1264 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 35 PID 2112 wrote to memory of 1264 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 35 PID 2112 wrote to memory of 1264 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 35 PID 2112 wrote to memory of 2392 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 36 PID 2112 wrote to memory of 2392 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 36 PID 2112 wrote to memory of 2392 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 36 PID 2112 wrote to memory of 2392 2112 7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe"C:\Users\Admin\AppData\Local\Temp\7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\orcHPGIOhYkzPQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAF23.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1548
-
-
C:\Users\Admin\AppData\Local\Temp\7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe"C:\Users\Admin\AppData\Local\Temp\7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe"2⤵PID:2120
-
-
C:\Users\Admin\AppData\Local\Temp\7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe"C:\Users\Admin\AppData\Local\Temp\7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe"2⤵PID:2064
-
-
C:\Users\Admin\AppData\Local\Temp\7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe"C:\Users\Admin\AppData\Local\Temp\7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe"2⤵PID:2052
-
-
C:\Users\Admin\AppData\Local\Temp\7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe"C:\Users\Admin\AppData\Local\Temp\7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe"2⤵PID:1264
-
-
C:\Users\Admin\AppData\Local\Temp\7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe"C:\Users\Admin\AppData\Local\Temp\7baf06bcd3734eaa62b131c711a382d3b6c662b68b43e17e775080e8906711e8.exe"2⤵PID:2392
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bd8a74ee045060c5cdd1448a326f6bd2
SHA1ac3e9632787e52a30b7481b6fe0559a840c3fa3c
SHA256ce34fa95f07c27526f783eb28a393edbca988cb5f50e480836bcf01ffdd4721b
SHA512861ab2a331bdd32498b241ef5cd53d86fa237586e9c65090aa7a41e16dc75094ed03c18aab213455192376f4b6aef2204df084d73d25c5aca5d1d4d111b2513f