Analysis
-
max time kernel
86s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-11-2024 03:43
General
-
Target
file (4).exe
-
Size
97KB
-
MD5
241421356dd99063199983faaaec1d8b
-
SHA1
2f65f6007347bdeb6bce09f7b727ed3db30c86a8
-
SHA256
ca1d9b37d93106cab5f20fde3e6943ac0ae4761589cf31e2554fbabfaf80bfd5
-
SHA512
59757412acc955bbf6a0695fac8b1b7ac231ae9bee71a42307cc4ec793c09f4d52a7358b0a8b40fa0658fbc688743034eedcf16da36f8bd2643cc48deb2c73ee
-
SSDEEP
1536:WUVdfhkoWcPdBW4TVu5nHhJKqMkwN7Y0S8iXU0CsNdyukfP+:WUVTVg5BWkfqUEsNYFfP+
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file (4).exe"C:\Users\Admin\AppData\Local\Temp\file (4).exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c C:\ProgramData\Media\rdb.bat2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
-
-
C:\ProgramData\Media\kasper_zaebal.exe-wait2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 2282⤵
- Program crash
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
84B
MD5c6f7299be3ecbb88acfde79c4dc2b63c
SHA11ce9da1d060431581f08d3fa83240aab5b281d81
SHA256a22d2d0a98cec8c7efccea543dc7d770577b5a966735deffa2f1bce9ecfbad5d
SHA512b7ce561caff59f6a08702f21dfc953b028ac6b47289c61f85468586ff9f941490bade7f78b4eb198ae958dcb58204c85db3b6ec1d071d9b0af6babe9534baa27
-
Filesize
97KB
MD5241421356dd99063199983faaaec1d8b
SHA12f65f6007347bdeb6bce09f7b727ed3db30c86a8
SHA256ca1d9b37d93106cab5f20fde3e6943ac0ae4761589cf31e2554fbabfaf80bfd5
SHA51259757412acc955bbf6a0695fac8b1b7ac231ae9bee71a42307cc4ec793c09f4d52a7358b0a8b40fa0658fbc688743034eedcf16da36f8bd2643cc48deb2c73ee