Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01-12-2024 13:16
Static task
static1
Behavioral task
behavioral1
Sample
7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe
Resource
win7-20240903-en
General
-
Target
7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe
-
Size
51.1MB
-
MD5
d6016b628f54b6ab28b78cccf55b48df
-
SHA1
4bc214534ff2dfcf886ea424b2bb54de8525e0d8
-
SHA256
7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983
-
SHA512
16546a68c03640bce50d57a12169efda264c0fe218ea04e114a4a22d3b5d6a26e55b21b9ca76acd82c285391c9b89838eae069eae1d5e2b62b0795e6dc59900b
-
SSDEEP
786432:R6nLbSYjJrmA4P2EKsSeAGcrNY5L3idyWPI946n2pUTVPLb+0/iciM3HmEh6wTiT:Y+QEKsSeAfvVwe6n2qjb+7ciMZdm
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2836 zubfsttg.exe 2752 LineInst.exe 13132 Kbskb.exe 12996 Kbskb.exe -
Loads dropped DLL 8 IoCs
pid Process 3036 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 3036 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 3036 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 3036 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 3036 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 3036 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 3036 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 3036 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: Kbskb.exe File opened (read-only) \??\K: Kbskb.exe File opened (read-only) \??\R: Kbskb.exe File opened (read-only) \??\U: Kbskb.exe File opened (read-only) \??\V: Kbskb.exe File opened (read-only) \??\H: Kbskb.exe File opened (read-only) \??\L: Kbskb.exe File opened (read-only) \??\N: Kbskb.exe File opened (read-only) \??\Q: Kbskb.exe File opened (read-only) \??\Y: Kbskb.exe File opened (read-only) \??\E: Kbskb.exe File opened (read-only) \??\J: Kbskb.exe File opened (read-only) \??\M: Kbskb.exe File opened (read-only) \??\P: Kbskb.exe File opened (read-only) \??\S: Kbskb.exe File opened (read-only) \??\Z: Kbskb.exe File opened (read-only) \??\B: Kbskb.exe File opened (read-only) \??\G: Kbskb.exe File opened (read-only) \??\O: Kbskb.exe File opened (read-only) \??\T: Kbskb.exe File opened (read-only) \??\W: Kbskb.exe File opened (read-only) \??\X: Kbskb.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kbskb.exe zubfsttg.exe File opened for modification C:\Windows\SysWOW64\Kbskb.exe zubfsttg.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 38 IoCs
pid Process 2836 zubfsttg.exe 2836 zubfsttg.exe 2836 zubfsttg.exe 2836 zubfsttg.exe 13132 Kbskb.exe 13132 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LineInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zubfsttg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbskb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbskb.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 12972 cmd.exe 13072 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Kbskb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Kbskb.exe -
Modifies data under HKEY_USERS 12 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Kbskb.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Kbskb.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Kbskb.exe Key created \REGISTRY\USER\.DEFAULT\Software Kbskb.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft Kbskb.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Kbskb.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Kbskb.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Kbskb.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie Kbskb.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum Kbskb.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" Kbskb.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Kbskb.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 13072 PING.EXE -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe 12996 Kbskb.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2836 zubfsttg.exe Token: 33 12996 Kbskb.exe Token: SeIncBasePriorityPrivilege 12996 Kbskb.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3036 wrote to memory of 2836 3036 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 30 PID 3036 wrote to memory of 2836 3036 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 30 PID 3036 wrote to memory of 2836 3036 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 30 PID 3036 wrote to memory of 2836 3036 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 30 PID 3036 wrote to memory of 2752 3036 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 31 PID 3036 wrote to memory of 2752 3036 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 31 PID 3036 wrote to memory of 2752 3036 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 31 PID 3036 wrote to memory of 2752 3036 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 31 PID 3036 wrote to memory of 2752 3036 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 31 PID 3036 wrote to memory of 2752 3036 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 31 PID 3036 wrote to memory of 2752 3036 7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe 31 PID 2836 wrote to memory of 12972 2836 zubfsttg.exe 34 PID 2836 wrote to memory of 12972 2836 zubfsttg.exe 34 PID 2836 wrote to memory of 12972 2836 zubfsttg.exe 34 PID 2836 wrote to memory of 12972 2836 zubfsttg.exe 34 PID 13132 wrote to memory of 12996 13132 Kbskb.exe 35 PID 13132 wrote to memory of 12996 13132 Kbskb.exe 35 PID 13132 wrote to memory of 12996 13132 Kbskb.exe 35 PID 13132 wrote to memory of 12996 13132 Kbskb.exe 35 PID 12972 wrote to memory of 13072 12972 cmd.exe 37 PID 12972 wrote to memory of 13072 12972 cmd.exe 37 PID 12972 wrote to memory of 13072 12972 cmd.exe 37 PID 12972 wrote to memory of 13072 12972 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe"C:\Users\Admin\AppData\Local\Temp\7979fef1fb127fc4dccd331b8081f9361ece01ae1768752abd07d9c668b26983.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\zubfsttg.exe"C:\Users\Admin\AppData\Local\Temp\zubfsttg.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\zubfsttg.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:12972 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:13072
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\LineInst.exe"C:\Users\Admin\AppData\Local\Temp\LineInst.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2752
-
-
C:\Windows\SysWOW64\Kbskb.exeC:\Windows\SysWOW64\Kbskb.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:13132 -
C:\Windows\SysWOW64\Kbskb.exeC:\Windows\SysWOW64\Kbskb.exe -acsi2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:12996
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.5MB
MD58bcca35447a5d6740d82e71a8fe3f23c
SHA1843c326a617b37f8d6409146e7e0fe9f0869ac0e
SHA2565a8ff2bcdc03b385af4b63c6316ebc89042b641137dc6a72e4ca41653a64dd75
SHA51203df9ea8de1eebe43366393f5e463fce1137686ce5e9512c53e8977db83ca763d9d4645c140e025b51112a6d21c20d622bdbf45d1a4dd93dd9297fad51fd028a
-
Filesize
1004KB
MD5587e3bc21efaf428c87331decc9bfeb3
SHA1a5b8ebeab4e3968673a61a95350b7f0bf60d7459
SHA256b931c5686cc09b2183bba197dc151b8e95ca6151e39fb98954352340c0b31120
SHA512ffae2dab5caf16dc7dfd0a97a8ff6349a466bc57ee043d1ac4d53e011498e39b9a855295d10207ba578c6857abebd445d378e83aa2ff6ec247713d81b370d0ca
-
Filesize
27.4MB
MD5f86698c77feaa537e043c6b7cd196367
SHA10e0b994ad8015f913347d2777f56d0de756c2563
SHA256fe8c3aa2b4383bc06e24fb05795e171963da0f1160369ab0feb400be177bbfca
SHA512236e482845313044259064de02a7509c7d53581ac234225b043574e0586d96782e21c01675cefae33b389aba188dfb4760c4b2622085e44bd45797ff3bcb4fb0