Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2024 10:56
Static task
static1
Behavioral task
behavioral1
Sample
fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe
Resource
win10v2004-20241007-en
General
-
Target
fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe
-
Size
155KB
-
MD5
ad08082dbb3d86552b9432ccb0b4ae90
-
SHA1
52af7c1185b6ff693df2518546731cfb6b1bfce8
-
SHA256
fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082
-
SHA512
3c7a820c47e45a49b8910550285c2a8b1735f6a584470578d1d4205cc525dc654d539cd00f59f496d097c9102f91efa1e2963711144c440b90b3dbc8771e2ae1
-
SSDEEP
1536:mvy50tV44aqwoa9ujdbNyVXa1lgNdaOCt1kTWoLY/r4T8YorEkyrnrm0URuj:mtWZqwoa9Xa1Idart19E
Malware Config
Signatures
-
Andromeda family
-
Detects Andromeda payload. 5 IoCs
resource yara_rule behavioral2/memory/2336-0-0x0000000000400000-0x0000000000409000-memory.dmp family_andromeda behavioral2/memory/2336-2-0x0000000000400000-0x0000000000409000-memory.dmp family_andromeda behavioral2/memory/3744-10-0x0000000000A30000-0x0000000000A35000-memory.dmp family_andromeda behavioral2/memory/3744-12-0x0000000000A30000-0x0000000000A35000-memory.dmp family_andromeda behavioral2/memory/3744-16-0x0000000000A30000-0x0000000000A35000-memory.dmp family_andromeda -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\51135 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\cccluo.cmd" msiexec.exe -
Blocklisted process makes network request 37 IoCs
flow pid Process 19 3744 msiexec.exe 20 3744 msiexec.exe 21 3744 msiexec.exe 24 3744 msiexec.exe 25 3744 msiexec.exe 26 3744 msiexec.exe 27 3744 msiexec.exe 29 3744 msiexec.exe 30 3744 msiexec.exe 31 3744 msiexec.exe 32 3744 msiexec.exe 33 3744 msiexec.exe 34 3744 msiexec.exe 57 3744 msiexec.exe 58 3744 msiexec.exe 59 3744 msiexec.exe 60 3744 msiexec.exe 61 3744 msiexec.exe 62 3744 msiexec.exe 63 3744 msiexec.exe 64 3744 msiexec.exe 65 3744 msiexec.exe 66 3744 msiexec.exe 67 3744 msiexec.exe 68 3744 msiexec.exe 74 3744 msiexec.exe 75 3744 msiexec.exe 76 3744 msiexec.exe 77 3744 msiexec.exe 78 3744 msiexec.exe 79 3744 msiexec.exe 80 3744 msiexec.exe 81 3744 msiexec.exe 82 3744 msiexec.exe 83 3744 msiexec.exe 84 3744 msiexec.exe 85 3744 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3152 set thread context of 2336 3152 fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe 82 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\LOCALS~1\Temp\cccluo.cmd msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2336 fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe 2336 fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3152 wrote to memory of 2336 3152 fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe 82 PID 3152 wrote to memory of 2336 3152 fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe 82 PID 3152 wrote to memory of 2336 3152 fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe 82 PID 3152 wrote to memory of 2336 3152 fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe 82 PID 3152 wrote to memory of 2336 3152 fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe 82 PID 3152 wrote to memory of 2336 3152 fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe 82 PID 2336 wrote to memory of 3744 2336 fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe 83 PID 2336 wrote to memory of 3744 2336 fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe 83 PID 2336 wrote to memory of 3744 2336 fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe"C:\Users\Admin\AppData\Local\Temp\fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe"C:\Users\Admin\AppData\Local\Temp\fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\syswow64\msiexec.exe3⤵
- Adds policy Run key to start application
- Blocklisted process makes network request
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3744
-
-