Overview
overview
10Static
static
10FD4DC9B2BF...4B.exe
windows7-x64
1Flyper.exe
windows7-x64
1Flyper2.exe
windows7-x64
1Flyper3.exe
windows7-x64
1Free YouTu...er.exe
windows7-x64
3FreeYoutub...16.exe
windows7-x64
7file (1).exe
windows7-x64
10file (2).exe
windows7-x64
6file (3).exe
windows7-x64
10file (4).exe
windows7-x64
10file (6).exe
windows7-x64
10file (7).exe
windows7-x64
3file.exe
windows7-x64
5file_ (1).exe
windows7-x64
7file_ (2).exe
windows7-x64
7file_ (3).exe
windows7-x64
7file_ (4).exe
windows7-x64
7file_ (5).exe
windows7-x64
7file_ (6).exe
windows7-x64
7file_ (7).exe
windows7-x64
7file_.exe
windows7-x64
7file_9.exe
windows7-x64
7firefox32.exe
windows7-x64
7flash_play...al.exe
windows7-x64
10flash_play...ed.exe
windows7-x64
3freegaza_i...rs.exe
windows7-x64
7fresh_a22b...53.exe
windows7-x64
9helper[1].exe_.exe
windows7-x64
3holycrypt-v0.3.exe
windows7-x64
info[1].exe
windows7-x64
10informations.exe
windows7-x64
10installer.exe
windows7-x64
7Analysis
-
max time kernel
291s -
max time network
239s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:31
Behavioral task
behavioral1
Sample
FD4DC9B2BFF8D75A704E8FE33C63DA4B.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Flyper.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
Flyper2.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Flyper3.exe
Resource
win7-20241023-en
Behavioral task
behavioral5
Sample
Free YouTube Downloader.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
FreeYoutubeDownloader11012016.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
file (1).exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
file (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
file (3).exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
file (4).exe
Resource
win7-20240729-en
Behavioral task
behavioral11
Sample
file (6).exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
file (7).exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
file.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
file_ (1).exe
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
file_ (2).exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
file_ (3).exe
Resource
win7-20241010-en
Behavioral task
behavioral17
Sample
file_ (4).exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
file_ (5).exe
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
file_ (6).exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
file_ (7).exe
Resource
win7-20241023-en
Behavioral task
behavioral21
Sample
file_.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
file_9.exe
Resource
win7-20241010-en
Behavioral task
behavioral23
Sample
firefox32.exe
Resource
win7-20240729-en
Behavioral task
behavioral24
Sample
flash_player.original.exe
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
flash_player.unpacked.exe
Resource
win7-20240708-en
Behavioral task
behavioral26
Sample
freegaza_israeli_killers.exe
Resource
win7-20240903-en
Behavioral task
behavioral27
Sample
fresh_a22bb95ee8cfccc94ba183c071bad3a951b353e98fcf0d6cfa9268aaf9c53d53.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
helper[1].exe_.exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
holycrypt-v0.3.exe
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
info[1].exe
Resource
win7-20241023-en
Behavioral task
behavioral31
Sample
informations.exe
Resource
win7-20240708-en
Behavioral task
behavioral32
Sample
installer.exe
Resource
win7-20240903-en
General
-
Target
freegaza_israeli_killers.exe
-
Size
345KB
-
MD5
685a8933f565793c2bf54770b3286bbe
-
SHA1
85f5e2bb703c836c2a29045d6fc15ef81804f938
-
SHA256
8acccd48ee73b7eccbc3622341ea33f9e07dbcdcd6e07f8b01fb630015a44659
-
SHA512
40a85e1d8f0f80120bd413efece18ed5983ffdea316ddedd760c487da535803ae6b904f97b32c8732cca3bc8f6e6ea4f440849281a0d3c541d26a4489c3383a4
-
SSDEEP
6144:gSUomEUi3+sMZ3xEYIrQ3XFp6/ZLk5rmrL0bl+oanFvRB4ulqTyO0A:xUomEFRu3xEPEOBermMetRBXw0A
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ponmsiyyks.lnk Ponmsiyyks.exe -
Executes dropped EXE 1 IoCs
pid Process 2400 Ponmsiyyks.exe -
Loads dropped DLL 4 IoCs
pid Process 2104 freegaza_israeli_killers.exe 2104 freegaza_israeli_killers.exe 2104 freegaza_israeli_killers.exe 2104 freegaza_israeli_killers.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2400 set thread context of 2688 2400 Ponmsiyyks.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language freegaza_israeli_killers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ponmsiyyks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2400 Ponmsiyyks.exe 2400 Ponmsiyyks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2400 Ponmsiyyks.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2400 2104 freegaza_israeli_killers.exe 30 PID 2104 wrote to memory of 2400 2104 freegaza_israeli_killers.exe 30 PID 2104 wrote to memory of 2400 2104 freegaza_israeli_killers.exe 30 PID 2104 wrote to memory of 2400 2104 freegaza_israeli_killers.exe 30 PID 2104 wrote to memory of 2400 2104 freegaza_israeli_killers.exe 30 PID 2104 wrote to memory of 2400 2104 freegaza_israeli_killers.exe 30 PID 2104 wrote to memory of 2400 2104 freegaza_israeli_killers.exe 30 PID 2400 wrote to memory of 2748 2400 Ponmsiyyks.exe 32 PID 2400 wrote to memory of 2748 2400 Ponmsiyyks.exe 32 PID 2400 wrote to memory of 2748 2400 Ponmsiyyks.exe 32 PID 2400 wrote to memory of 2748 2400 Ponmsiyyks.exe 32 PID 2400 wrote to memory of 2748 2400 Ponmsiyyks.exe 32 PID 2400 wrote to memory of 2748 2400 Ponmsiyyks.exe 32 PID 2400 wrote to memory of 2748 2400 Ponmsiyyks.exe 32 PID 2400 wrote to memory of 2688 2400 Ponmsiyyks.exe 34 PID 2400 wrote to memory of 2688 2400 Ponmsiyyks.exe 34 PID 2400 wrote to memory of 2688 2400 Ponmsiyyks.exe 34 PID 2400 wrote to memory of 2688 2400 Ponmsiyyks.exe 34 PID 2400 wrote to memory of 2688 2400 Ponmsiyyks.exe 34 PID 2400 wrote to memory of 2688 2400 Ponmsiyyks.exe 34 PID 2400 wrote to memory of 2688 2400 Ponmsiyyks.exe 34 PID 2400 wrote to memory of 2688 2400 Ponmsiyyks.exe 34 PID 2400 wrote to memory of 2688 2400 Ponmsiyyks.exe 34 PID 2400 wrote to memory of 2688 2400 Ponmsiyyks.exe 34 PID 2400 wrote to memory of 2688 2400 Ponmsiyyks.exe 34 PID 2400 wrote to memory of 2688 2400 Ponmsiyyks.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\freegaza_israeli_killers.exe"C:\Users\Admin\AppData\Local\Temp\freegaza_israeli_killers.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Ponmsiyyks.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Ponmsiyyks.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\cmd.execmd /c copy "C:\Users\Admin\AppData\Local\Temp\RarSFX0\*.*" "C:\Users\Admin\AppData\Roaming\Xrxoeoa"3⤵
- System Location Discovery: System Language Discovery
PID:2748
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2688
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD55c3e56ea2b8a49c1808d63cc6cc817f0
SHA181b1d8a3c6ef528c08dc388298e54d782fe903ec
SHA2563a9ba30f48997c0546ef1977a7f95a112fcad6ece91cfdd820ff88a51ff70e84
SHA5121acfabd8f414c704494dcc9d6093ec738c3de0a5a0a0c25a63e1355463feed5458e154c78c788d00692673ca4ce388e373ae27fea21ebc3f954bf3e1aa206eb6
-
Filesize
99KB
MD5293caf9072efec18b7eef903f3a2c7f4
SHA1de3016203919311f27b83b6981ee6eef9de7baa2
SHA256e368372210f645faaed24c1fa27b1c737c3dd3c1578fba9e8487149bff40b835
SHA512f5b38d29d1601f751b8a91c6af8f407860d230727626fda5949a1fb55c6b2a7c5da1f24132b9e72d77536df69a8f65b1b102ee02cad2d83059435db3b76d2c0a
-
Filesize
9.5MB
MD58df08dd868e16f24b01fe06719040cb2
SHA1f730c013121eab0c6157081aa8bd972389a87cbb
SHA256b05e06ab6e885de6f8646d6b9ffc8cc4aa8f285e656fd0738bb7cffb5c9d4f21
SHA512b15963c22d9e7cbbbf2b7645b576cdecd65357a3525fa5d73a80aaadc2d08c2d578786085db8517819366242263222337bf28f9fd601678a5266d90f899bee7b