Analysis
-
max time kernel
148s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-11-2024 10:54
Behavioral task
behavioral1
Sample
EA7D9B2BC4EE15A1065405D8F5BF0C76.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
EA7D9B2BC4EE15A1065405D8F5BF0C76.exe
Resource
win10v2004-20241007-en
General
-
Target
EA7D9B2BC4EE15A1065405D8F5BF0C76.exe
-
Size
129KB
-
MD5
fe0f4300da8dfa0ae70791baea2bef2c
-
SHA1
bed386ebad6b6c209860c6e8822f9770a00a6560
-
SHA256
5b1fca52fd4bc6dc4aae43b0551164b553852d94a1cee051b653b352ede7f9e3
-
SHA512
7f0609f7dee98332d9a820c2401f64de72b888de67033778ff6c9326b92c51bef017c8c29291935851656d5d703e88b9ca6daeca5aba9c0403ebd13e4c1ae808
-
SSDEEP
1536:7Q5UK5dcnRLxHv8qcL90Api4Q9TnMv6WdqdIl2h1w:7oUKkRJ0LLiA44AgLdqX1w
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run EA7D9B2BC4EE15A1065405D8F5BF0C76.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MicrosoftCorp = "C:\\Windows\\TT.exe" EA7D9B2BC4EE15A1065405D8F5BF0C76.exe -
Executes dropped EXE 1 IoCs
pid Process 2052 TT.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\sysdiag64.exe = "C:\\Windows\\TT.exe" EA7D9B2BC4EE15A1065405D8F5BF0C76.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicrosoftNAPC = "C:\\Windows\\TT.exe" EA7D9B2BC4EE15A1065405D8F5BF0C76.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\TT.exe EA7D9B2BC4EE15A1065405D8F5BF0C76.exe File opened for modification C:\Windows\TT.exe EA7D9B2BC4EE15A1065405D8F5BF0C76.exe File opened for modification C:\Windows\TT.exe TT.exe File created C:\Windows\TT.exe TT.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EA7D9B2BC4EE15A1065405D8F5BF0C76.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2460 wrote to memory of 2052 2460 EA7D9B2BC4EE15A1065405D8F5BF0C76.exe 31 PID 2460 wrote to memory of 2052 2460 EA7D9B2BC4EE15A1065405D8F5BF0C76.exe 31 PID 2460 wrote to memory of 2052 2460 EA7D9B2BC4EE15A1065405D8F5BF0C76.exe 31 PID 2460 wrote to memory of 2052 2460 EA7D9B2BC4EE15A1065405D8F5BF0C76.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\EA7D9B2BC4EE15A1065405D8F5BF0C76.exe"C:\Users\Admin\AppData\Local\Temp\EA7D9B2BC4EE15A1065405D8F5BF0C76.exe"1⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\TT.exe"C:\Windows\TT.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2052
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129KB
MD5fe0f4300da8dfa0ae70791baea2bef2c
SHA1bed386ebad6b6c209860c6e8822f9770a00a6560
SHA2565b1fca52fd4bc6dc4aae43b0551164b553852d94a1cee051b653b352ede7f9e3
SHA5127f0609f7dee98332d9a820c2401f64de72b888de67033778ff6c9326b92c51bef017c8c29291935851656d5d703e88b9ca6daeca5aba9c0403ebd13e4c1ae808