Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 04:58
Static task
static1
Behavioral task
behavioral1
Sample
dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe
Resource
win10v2004-20241007-en
General
-
Target
dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe
-
Size
685KB
-
MD5
67a61a5b722dd63bbe160c472b845e1a
-
SHA1
1490776613fd477ef1812ef5d620b9e4867f390a
-
SHA256
dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b
-
SHA512
ea4fce6129277fcb96309d49a08e2ae16489ec0bd75e2d5dc6413be80fefbd97581c924726a00ebd81e67041328db11fd3bca4d2374142b3b86e90a725c42c7b
-
SSDEEP
12288:3Z8nkF9oy1ADvMKdhAS0jjLz7hoo3RpEcvALALdt/xBot/FcEic/3IWVscSfVo8s:3Z8nkF9oySiLz72ooSru/so3V9xmA0k
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\service.exe" service.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe -
Executes dropped EXE 2 IoCs
pid Process 3280 service.exe 1712 service.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Service Application = "C:\\Windows\\service.exe" service.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4316 set thread context of 1780 4316 dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe 83 PID 3280 set thread context of 1712 3280 service.exe 88 -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\service.exe dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe File created C:\Windows\service.exe service.exe File opened for modification C:\Windows\service.exe service.exe File created C:\Windows\service.exe dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 service.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz service.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4316 wrote to memory of 1780 4316 dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe 83 PID 4316 wrote to memory of 1780 4316 dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe 83 PID 4316 wrote to memory of 1780 4316 dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe 83 PID 4316 wrote to memory of 1780 4316 dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe 83 PID 4316 wrote to memory of 1780 4316 dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe 83 PID 4316 wrote to memory of 1780 4316 dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe 83 PID 4316 wrote to memory of 1780 4316 dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe 83 PID 1780 wrote to memory of 4352 1780 dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe 85 PID 1780 wrote to memory of 4352 1780 dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe 85 PID 1780 wrote to memory of 4352 1780 dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe 85 PID 1780 wrote to memory of 3280 1780 dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe 87 PID 1780 wrote to memory of 3280 1780 dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe 87 PID 1780 wrote to memory of 3280 1780 dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe 87 PID 3280 wrote to memory of 1712 3280 service.exe 88 PID 3280 wrote to memory of 1712 3280 service.exe 88 PID 3280 wrote to memory of 1712 3280 service.exe 88 PID 3280 wrote to memory of 1712 3280 service.exe 88 PID 3280 wrote to memory of 1712 3280 service.exe 88 PID 3280 wrote to memory of 1712 3280 service.exe 88 PID 3280 wrote to memory of 1712 3280 service.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe"C:\Users\Admin\AppData\Local\Temp\dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Users\Admin\AppData\Local\Temp\dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe"C:\Users\Admin\AppData\Local\Temp\dd7f06cb4111b824be896e9065b5e1d1297c9e0096ac22f8200f9e1dff8f545b.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\remove25021.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:4352
-
-
C:\Windows\service.exe"C:\Windows\service.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\service.exe"C:\Windows\service.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:1712
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
267B
MD5069a41c368782098ed3231fb21b1bf6a
SHA1588c355e4b622e6f996585539028400da3c928d3
SHA2566af02d1e17de464995a473da5e9c9a9be554b4ac1b95c59d2ea2feb6d836fe3b
SHA512cd62e817b2d5366ca1a9f2ff89f6a481e8c9c00b371f0d23e9df58d11e453c7b731ac2fdd079697e2a434a0e2049fbfec919643838191e9844fd904601c86373
-
Filesize
51B
MD547a8ba1ac93ed45a6c0730f839996ebe
SHA1cb866994aae108d550d8e86de8f72113385ea013
SHA256ad13a0f3f6c294009c8909aa19cb7a0b92e4cc8a39345a004cfdf0edd51b5f9e
SHA512bdd6d1897495836b837b570add6d8a28a81dc9d67524af966d77e4c074e771628de4a7e2147c6a40336276cf03cd4014a91c461cc409f96fed0ca5ec425bb8cc
-
Filesize
686KB
MD5bf9e5a05c5e1ffe373660fd64d31129c
SHA1b692e3cfc6bac3e13749fff168d4074b24474e0c
SHA256365f7e6d2208b8d3ebe6ba59469e38735589b5b30c039986f903186861777019
SHA512844efe515bc2f82f05776b01d5d4e2c8df3c3e6fdc7167c7bbcd02a1660fcdf2d168adb53d0c0d760b3c1c0d81870baea28213d0d938bfe6d6b8fe090946be10