Analysis
-
max time kernel
118s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2024 22:36
Behavioral task
behavioral1
Sample
591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe
Resource
win7-20241010-en
General
-
Target
591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe
-
Size
392KB
-
MD5
82e2ea96bd980f31e38f51638b635e7f
-
SHA1
e5001915a2516fe86c6d04822bc669919991ee24
-
SHA256
591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb
-
SHA512
564f98b8265597c93acdc5d6426089a5441598d38aac13ab1e16ec074b8291c3e8e176ded09bdf5eb24a700a6c1910416cbe45f1426d50a43e50cd4da219d97b
-
SSDEEP
3072:V+ESQ0EWVwZhKxC5Rt+k60Zh+qw6PYSsszfHZTZJ2lbaV2K:DPA6wxmuJspr2lb6P
Malware Config
Signatures
-
Andromeda family
-
Detects Andromeda payload. 2 IoCs
resource yara_rule behavioral2/memory/1824-64-0x00000000005E0000-0x00000000005E5000-memory.dmp family_andromeda behavioral2/memory/1824-68-0x00000000005E0000-0x00000000005E5000-memory.dmp family_andromeda -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\60321 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\msfusafjk.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe -
Executes dropped EXE 3 IoCs
pid Process 628 skyrpe.exe 3020 skyrpe.exe 2008 skyrpe.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Skype = "C:\\Users\\Admin\\AppData\\Roaming\\skype\\skyrpe.exe" reg.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum skyrpe.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 skyrpe.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4588 set thread context of 2368 4588 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 90 PID 628 set thread context of 3020 628 skyrpe.exe 97 PID 628 set thread context of 2008 628 skyrpe.exe 98 -
resource yara_rule behavioral2/memory/4588-0-0x0000000000400000-0x0000000000462000-memory.dmp upx behavioral2/memory/4588-5-0x0000000000400000-0x0000000000462000-memory.dmp upx behavioral2/memory/2368-9-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2368-11-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4588-12-0x0000000000400000-0x0000000000462000-memory.dmp upx behavioral2/memory/2368-13-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2368-14-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/files/0x0008000000023bce-30.dat upx behavioral2/memory/628-40-0x0000000000400000-0x0000000000462000-memory.dmp upx behavioral2/memory/628-41-0x0000000000400000-0x0000000000462000-memory.dmp upx behavioral2/memory/2368-42-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/628-46-0x0000000000400000-0x0000000000462000-memory.dmp upx behavioral2/memory/628-57-0x0000000000400000-0x0000000000462000-memory.dmp upx behavioral2/memory/2368-58-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3020-70-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\LOCALS~1\Temp\msfusafjk.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skyrpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skyrpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skyrpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2008 skyrpe.exe 2008 skyrpe.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2008 skyrpe.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe Token: SeDebugPrivilege 3020 skyrpe.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4588 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 2368 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 628 skyrpe.exe 3020 skyrpe.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 4588 wrote to memory of 2368 4588 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 90 PID 4588 wrote to memory of 2368 4588 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 90 PID 4588 wrote to memory of 2368 4588 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 90 PID 4588 wrote to memory of 2368 4588 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 90 PID 4588 wrote to memory of 2368 4588 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 90 PID 4588 wrote to memory of 2368 4588 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 90 PID 4588 wrote to memory of 2368 4588 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 90 PID 4588 wrote to memory of 2368 4588 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 90 PID 2368 wrote to memory of 4820 2368 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 91 PID 2368 wrote to memory of 4820 2368 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 91 PID 2368 wrote to memory of 4820 2368 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 91 PID 4820 wrote to memory of 3768 4820 cmd.exe 94 PID 4820 wrote to memory of 3768 4820 cmd.exe 94 PID 4820 wrote to memory of 3768 4820 cmd.exe 94 PID 2368 wrote to memory of 628 2368 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 95 PID 2368 wrote to memory of 628 2368 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 95 PID 2368 wrote to memory of 628 2368 591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe 95 PID 628 wrote to memory of 3020 628 skyrpe.exe 97 PID 628 wrote to memory of 3020 628 skyrpe.exe 97 PID 628 wrote to memory of 3020 628 skyrpe.exe 97 PID 628 wrote to memory of 3020 628 skyrpe.exe 97 PID 628 wrote to memory of 3020 628 skyrpe.exe 97 PID 628 wrote to memory of 3020 628 skyrpe.exe 97 PID 628 wrote to memory of 3020 628 skyrpe.exe 97 PID 628 wrote to memory of 3020 628 skyrpe.exe 97 PID 628 wrote to memory of 2008 628 skyrpe.exe 98 PID 628 wrote to memory of 2008 628 skyrpe.exe 98 PID 628 wrote to memory of 2008 628 skyrpe.exe 98 PID 628 wrote to memory of 2008 628 skyrpe.exe 98 PID 628 wrote to memory of 2008 628 skyrpe.exe 98 PID 628 wrote to memory of 2008 628 skyrpe.exe 98 PID 2008 wrote to memory of 1824 2008 skyrpe.exe 99 PID 2008 wrote to memory of 1824 2008 skyrpe.exe 99 PID 2008 wrote to memory of 1824 2008 skyrpe.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe"C:\Users\Admin\AppData\Local\Temp\591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe"C:\Users\Admin\AppData\Local\Temp\591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OACEQ.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Skype" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3768
-
-
-
C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3020
-
-
C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe5⤵
- Adds policy Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1824
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139B
MD50654f004b2e314bad7f75867e91da37d
SHA14232c22e7340b12108d86e3cb35ed288a3dbc7f1
SHA256ead325a060300a9606a3f0f14694be39a3e4006a60c6c3eb0bea5d6f98192249
SHA512dda135cdfca90a742d42b4c7a5e7f5df6580ec428302a8f0c311f5b92eb08dda75774e0c7497110faffbe2dfa02b30d2dfe35ec2848a275f53be8d930c7aa553
-
Filesize
392KB
MD503cc9305838d89860a9ca32e291dc69e
SHA1a05c1dd505958c404246d2b34a4cc876d97e7d0a
SHA2563c43982485a0e93c0d98f8161b18c16152b515325d8c0dae8b0416836aeec434
SHA512d7ce520883aff5bc7f5fc7e8ef7c9327ee98bcc418c80936b165843d916e2da64cf732e273b92d233259fbde6e11c4ca2b92a3f5018323433b293b5b311af037