c96b41fac848211321861fcf957e5f475a950c56f9024f792e5c9584f1fbd3ef

Analysis

max time kernel
83s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe
Size

84KB
MD5

fef2837fa1deb4704de03eaa76b62241
SHA1

8bb3914b5ae46383f0223ace7a7b3b6de2b6344e
SHA256

14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d
SHA512

9b7ca59308240a46bc215975c14e508bdc853ab5c7a7bc76a92ef42d1dfce0adec2aa1b51b8f9569590bb110c8f9cb47f2c1c446c4ec6c747dac453a918c78f7
SSDEEP

768:DhnciumS4FeU6ggYpFJVuGwv8zE2rCaBE1s6zAKKXb/7BxkxzDNHwP00VPSuilVV:1D5vzuf8qfSpKKXxiha00tSHVOWc

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2736 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

DirectX.exe

pid process

2088 DirectX.exe

pid	process
2736	cmd.exe

pid	process
2088	DirectX.exe

Loads dropped DLL 2 IoCs

Processes:

old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe

pid	process
2548	old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe
2548	old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

DirectX.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DirectX = "C:\\Users\\Admin\\AppData\\Roaming\\DirectX.exe"	DirectX.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\DirectX = "C:\\Users\\Admin\\AppData\\Roaming\\DirectX.exe"	DirectX.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 checkip.dyndns.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
2	checkip.dyndns.org

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exetaskkill.exeold_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exeDirectX.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DirectX.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2856 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2856 taskkill.exe

pid	process
2856	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2856	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.execmd.exe

description	pid	process	target process
PID 2548 wrote to memory of 2088	2548	old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe	DirectX.exe
PID 2548 wrote to memory of 2088	2548	old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe	DirectX.exe
PID 2548 wrote to memory of 2088	2548	old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe	DirectX.exe
PID 2548 wrote to memory of 2088	2548	old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe	DirectX.exe
PID 2548 wrote to memory of 2736	2548	old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe	cmd.exe
PID 2548 wrote to memory of 2736	2548	old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe	cmd.exe
PID 2548 wrote to memory of 2736	2548	old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe	cmd.exe
PID 2548 wrote to memory of 2736	2548	old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe	cmd.exe
PID 2736 wrote to memory of 2856	2736	cmd.exe	taskkill.exe
PID 2736 wrote to memory of 2856	2736	cmd.exe	taskkill.exe
PID 2736 wrote to memory of 2856	2736	cmd.exe	taskkill.exe
PID 2736 wrote to memory of 2856	2736	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe
"C:\Users\Admin\AppData\Local\Temp\old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Roaming\DirectX.exe
  "C:\Users\Admin\AppData\Roaming\DirectX.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c aaa.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aaa.bat

Filesize
225B

MD5
a8600eab4988347fe7a8c7fa8ff529f1

SHA1
4c8a216635869c87bde910256aa5f7c50fe94e20

SHA256
6d510b47afe90b704c3a7c890f835decad84b979f254fda1cbeb7043f831fce5

SHA512
5bdb526a25e5319c18f7359f63eaeb31f063802dca19a6a11e4ecf4f56d611077e8e3adf7a2859aa12998567e6ae5d6935de0dad9a987ec6a3d0c23b00644c3c

Download Submit
\Users\Admin\AppData\Roaming\DirectX.exe

Filesize
84KB

MD5
fef2837fa1deb4704de03eaa76b62241

SHA1
8bb3914b5ae46383f0223ace7a7b3b6de2b6344e

SHA256
14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d

SHA512
9b7ca59308240a46bc215975c14e508bdc853ab5c7a7bc76a92ef42d1dfce0adec2aa1b51b8f9569590bb110c8f9cb47f2c1c446c4ec6c747dac453a918c78f7

Download Submit
memory/2088-20-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2548-18-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download