Analysis

  • max time kernel
    154s
  • max time network
    246s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 03:31

General

  • Target

    file (4).exe

  • Size

    97KB

  • MD5

    241421356dd99063199983faaaec1d8b

  • SHA1

    2f65f6007347bdeb6bce09f7b727ed3db30c86a8

  • SHA256

    ca1d9b37d93106cab5f20fde3e6943ac0ae4761589cf31e2554fbabfaf80bfd5

  • SHA512

    59757412acc955bbf6a0695fac8b1b7ac231ae9bee71a42307cc4ec793c09f4d52a7358b0a8b40fa0658fbc688743034eedcf16da36f8bd2643cc48deb2c73ee

  • SSDEEP

    1536:WUVdfhkoWcPdBW4TVu5nHhJKqMkwN7Y0S8iXU0CsNdyukfP+:WUVTVg5BWkfqUEsNYFfP+

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file (4).exe
    "C:\Users\Admin\AppData\Local\Temp\file (4).exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\ProgramData\Media\rdb.bat
      2⤵
      • Subvert Trust Controls: Mark-of-the-Web Bypass
      • System Location Discovery: System Language Discovery
      • NTFS ADS
      PID:2380
    • C:\ProgramData\Media\kasper_zaebal.exe
      -wait
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2464
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 228
      2⤵
      • Program crash
      PID:2884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Media\kasper_zaebal.exe

    Filesize

    97KB

    MD5

    241421356dd99063199983faaaec1d8b

    SHA1

    2f65f6007347bdeb6bce09f7b727ed3db30c86a8

    SHA256

    ca1d9b37d93106cab5f20fde3e6943ac0ae4761589cf31e2554fbabfaf80bfd5

    SHA512

    59757412acc955bbf6a0695fac8b1b7ac231ae9bee71a42307cc4ec793c09f4d52a7358b0a8b40fa0658fbc688743034eedcf16da36f8bd2643cc48deb2c73ee

  • C:\ProgramData\Media\rdb.bat

    Filesize

    84B

    MD5

    c6f7299be3ecbb88acfde79c4dc2b63c

    SHA1

    1ce9da1d060431581f08d3fa83240aab5b281d81

    SHA256

    a22d2d0a98cec8c7efccea543dc7d770577b5a966735deffa2f1bce9ecfbad5d

    SHA512

    b7ce561caff59f6a08702f21dfc953b028ac6b47289c61f85468586ff9f941490bade7f78b4eb198ae958dcb58204c85db3b6ec1d071d9b0af6babe9534baa27