Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30-11-2024 13:51
Static task
static1
Behavioral task
behavioral1
Sample
7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe
Resource
win7-20241010-en
General
-
Target
7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe
-
Size
51.1MB
-
MD5
d6016b628f54b6ab28b78cccf55b48df
-
SHA1
4bc214534ff2dfcf886ea424b2bb54de8525e0d8
-
SHA256
7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983
-
SHA512
16546a68c03640bce50d57a12169efda264c0fe218ea04e114a4a22d3b5d6a26e55b21b9ca76acd82c285391c9b89838eae069eae1d5e2b62b0795e6dc59900b
-
SSDEEP
786432:R6nLbSYjJrmA4P2EKsSeAGcrNY5L3idyWPI946n2pUTVPLb+0/iciM3HmEh6wTiT:Y+QEKsSeAfvVwe6n2qjb+7ciMZdm
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2868 LineInst.exe 2916 zubfsttg.exe 13452 Kbskb.exe 15272 Kbskb.exe -
Loads dropped DLL 8 IoCs
pid Process 2100 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 2100 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 2100 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 2100 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 2100 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 2100 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 2100 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 2100 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: Kbskb.exe File opened (read-only) \??\G: Kbskb.exe File opened (read-only) \??\P: Kbskb.exe File opened (read-only) \??\Q: Kbskb.exe File opened (read-only) \??\U: Kbskb.exe File opened (read-only) \??\V: Kbskb.exe File opened (read-only) \??\Z: Kbskb.exe File opened (read-only) \??\B: Kbskb.exe File opened (read-only) \??\E: Kbskb.exe File opened (read-only) \??\O: Kbskb.exe File opened (read-only) \??\R: Kbskb.exe File opened (read-only) \??\W: Kbskb.exe File opened (read-only) \??\I: Kbskb.exe File opened (read-only) \??\N: Kbskb.exe File opened (read-only) \??\S: Kbskb.exe File opened (read-only) \??\T: Kbskb.exe File opened (read-only) \??\X: Kbskb.exe File opened (read-only) \??\H: Kbskb.exe File opened (read-only) \??\J: Kbskb.exe File opened (read-only) \??\K: Kbskb.exe File opened (read-only) \??\L: Kbskb.exe File opened (read-only) \??\M: Kbskb.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kbskb.exe zubfsttg.exe File created C:\Windows\SysWOW64\Kbskb.exe zubfsttg.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 39 IoCs
pid Process 2916 zubfsttg.exe 2916 zubfsttg.exe 13452 Kbskb.exe 2916 zubfsttg.exe 13452 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LineInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zubfsttg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbskb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbskb.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 15260 cmd.exe 15320 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Kbskb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Kbskb.exe -
Modifies data under HKEY_USERS 12 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Kbskb.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft Kbskb.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie Kbskb.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" Kbskb.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Kbskb.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Kbskb.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Kbskb.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Kbskb.exe Key created \REGISTRY\USER\.DEFAULT\Software Kbskb.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum Kbskb.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Kbskb.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Kbskb.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 15320 PING.EXE -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe 15272 Kbskb.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2916 zubfsttg.exe Token: 33 15272 Kbskb.exe Token: SeIncBasePriorityPrivilege 15272 Kbskb.exe Token: 33 15272 Kbskb.exe Token: SeIncBasePriorityPrivilege 15272 Kbskb.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2916 2100 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 31 PID 2100 wrote to memory of 2916 2100 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 31 PID 2100 wrote to memory of 2916 2100 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 31 PID 2100 wrote to memory of 2916 2100 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 31 PID 2100 wrote to memory of 2868 2100 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 32 PID 2100 wrote to memory of 2868 2100 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 32 PID 2100 wrote to memory of 2868 2100 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 32 PID 2100 wrote to memory of 2868 2100 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 32 PID 2100 wrote to memory of 2868 2100 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 32 PID 2100 wrote to memory of 2868 2100 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 32 PID 2100 wrote to memory of 2868 2100 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 32 PID 13452 wrote to memory of 15272 13452 Kbskb.exe 35 PID 13452 wrote to memory of 15272 13452 Kbskb.exe 35 PID 13452 wrote to memory of 15272 13452 Kbskb.exe 35 PID 13452 wrote to memory of 15272 13452 Kbskb.exe 35 PID 2916 wrote to memory of 15260 2916 zubfsttg.exe 34 PID 2916 wrote to memory of 15260 2916 zubfsttg.exe 34 PID 2916 wrote to memory of 15260 2916 zubfsttg.exe 34 PID 2916 wrote to memory of 15260 2916 zubfsttg.exe 34 PID 15260 wrote to memory of 15320 15260 cmd.exe 37 PID 15260 wrote to memory of 15320 15260 cmd.exe 37 PID 15260 wrote to memory of 15320 15260 cmd.exe 37 PID 15260 wrote to memory of 15320 15260 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe"C:\Users\Admin\AppData\Local\Temp\7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\zubfsttg.exe"C:\Users\Admin\AppData\Local\Temp\zubfsttg.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\zubfsttg.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:15260 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:15320
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\LineInst.exe"C:\Users\Admin\AppData\Local\Temp\LineInst.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2868
-
-
C:\Windows\SysWOW64\Kbskb.exeC:\Windows\SysWOW64\Kbskb.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:13452 -
C:\Windows\SysWOW64\Kbskb.exeC:\Windows\SysWOW64\Kbskb.exe -acsi2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:15272
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.5MB
MD58bcca35447a5d6740d82e71a8fe3f23c
SHA1843c326a617b37f8d6409146e7e0fe9f0869ac0e
SHA2565a8ff2bcdc03b385af4b63c6316ebc89042b641137dc6a72e4ca41653a64dd75
SHA51203df9ea8de1eebe43366393f5e463fce1137686ce5e9512c53e8977db83ca763d9d4645c140e025b51112a6d21c20d622bdbf45d1a4dd93dd9297fad51fd028a
-
Filesize
1004KB
MD5587e3bc21efaf428c87331decc9bfeb3
SHA1a5b8ebeab4e3968673a61a95350b7f0bf60d7459
SHA256b931c5686cc09b2183bba197dc151b8e95ca6151e39fb98954352340c0b31120
SHA512ffae2dab5caf16dc7dfd0a97a8ff6349a466bc57ee043d1ac4d53e011498e39b9a855295d10207ba578c6857abebd445d378e83aa2ff6ec247713d81b370d0ca
-
Filesize
27.4MB
MD5f86698c77feaa537e043c6b7cd196367
SHA10e0b994ad8015f913347d2777f56d0de756c2563
SHA256fe8c3aa2b4383bc06e24fb05795e171963da0f1160369ab0feb400be177bbfca
SHA512236e482845313044259064de02a7509c7d53581ac234225b043574e0586d96782e21c01675cefae33b389aba188dfb4760c4b2622085e44bd45797ff3bcb4fb0