Analysis
-
max time kernel
112s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2024, 13:39
Static task
static1
Behavioral task
behavioral1
Sample
3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe
Resource
win10v2004-20241007-en
General
-
Target
3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe
-
Size
80KB
-
MD5
7cdff1827f0a2e77a0d715f5951558be
-
SHA1
9a277d0c2d3ec8f61de77c16d138de7b5367a1c3
-
SHA256
3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae
-
SHA512
62675a38ef9ba9b0bad79bae8937c25c453e7d821525f585149419a8d0c95ae2f2b80a4e580f4ce8b33ab093c3e757c8e0711fa81fff1b5c6f70f5508d0d66d2
-
SSDEEP
1536:BxR5bM9oLiCMsJozgKWNJ4NJxPMg2o1Ej7j:BP5bphozgKWNJ4NJxPR1A7j
Malware Config
Signatures
-
Andromeda family
-
Detects Andromeda payload. 5 IoCs
resource yara_rule behavioral2/memory/536-0-0x0000000000400000-0x0000000000409000-memory.dmp family_andromeda behavioral2/memory/536-3-0x0000000000400000-0x0000000000409000-memory.dmp family_andromeda behavioral2/memory/3112-11-0x0000000001470000-0x0000000001475000-memory.dmp family_andromeda behavioral2/memory/3112-13-0x0000000001470000-0x0000000001475000-memory.dmp family_andromeda behavioral2/memory/3112-17-0x0000000001470000-0x0000000001475000-memory.dmp family_andromeda -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\42936 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\ccvubzby.scr" msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 536 3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe -
Blocklisted process makes network request 25 IoCs
flow pid Process 14 3112 msiexec.exe 15 3112 msiexec.exe 16 3112 msiexec.exe 17 3112 msiexec.exe 18 3112 msiexec.exe 19 3112 msiexec.exe 20 3112 msiexec.exe 21 3112 msiexec.exe 22 3112 msiexec.exe 26 3112 msiexec.exe 27 3112 msiexec.exe 28 3112 msiexec.exe 29 3112 msiexec.exe 48 3112 msiexec.exe 49 3112 msiexec.exe 50 3112 msiexec.exe 51 3112 msiexec.exe 52 3112 msiexec.exe 53 3112 msiexec.exe 54 3112 msiexec.exe 55 3112 msiexec.exe 56 3112 msiexec.exe 57 3112 msiexec.exe 58 3112 msiexec.exe 60 3112 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 412 set thread context of 536 412 3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe 85 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\LOCALS~1\Temp\ccvubzby.scr msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 536 3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe 536 3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 412 wrote to memory of 536 412 3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe 85 PID 412 wrote to memory of 536 412 3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe 85 PID 412 wrote to memory of 536 412 3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe 85 PID 412 wrote to memory of 536 412 3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe 85 PID 412 wrote to memory of 536 412 3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe 85 PID 412 wrote to memory of 536 412 3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe 85 PID 536 wrote to memory of 3112 536 3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe 86 PID 536 wrote to memory of 3112 536 3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe 86 PID 536 wrote to memory of 3112 536 3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe"C:\Users\Admin\AppData\Local\Temp\3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Users\Admin\AppData\Local\Temp\3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe"C:\Users\Admin\AppData\Local\Temp\3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\syswow64\msiexec.exe3⤵
- Adds policy Run key to start application
- Blocklisted process makes network request
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3112
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe
Filesize80KB
MD57cdff1827f0a2e77a0d715f5951558be
SHA19a277d0c2d3ec8f61de77c16d138de7b5367a1c3
SHA2563272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae
SHA51262675a38ef9ba9b0bad79bae8937c25c453e7d821525f585149419a8d0c95ae2f2b80a4e580f4ce8b33ab093c3e757c8e0711fa81fff1b5c6f70f5508d0d66d2