Analysis
-
max time kernel
111s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2024 10:52
Static task
static1
Behavioral task
behavioral1
Sample
fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe
Resource
win10v2004-20241007-en
General
-
Target
fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe
-
Size
155KB
-
MD5
ad08082dbb3d86552b9432ccb0b4ae90
-
SHA1
52af7c1185b6ff693df2518546731cfb6b1bfce8
-
SHA256
fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082
-
SHA512
3c7a820c47e45a49b8910550285c2a8b1735f6a584470578d1d4205cc525dc654d539cd00f59f496d097c9102f91efa1e2963711144c440b90b3dbc8771e2ae1
-
SSDEEP
1536:mvy50tV44aqwoa9ujdbNyVXa1lgNdaOCt1kTWoLY/r4T8YorEkyrnrm0URuj:mtWZqwoa9Xa1Idart19E
Malware Config
Signatures
-
Andromeda family
-
Detects Andromeda payload. 5 IoCs
resource yara_rule behavioral2/memory/3964-0-0x0000000000400000-0x0000000000409000-memory.dmp family_andromeda behavioral2/memory/3964-2-0x0000000000400000-0x0000000000409000-memory.dmp family_andromeda behavioral2/memory/2068-10-0x0000000000380000-0x0000000000385000-memory.dmp family_andromeda behavioral2/memory/2068-12-0x0000000000380000-0x0000000000385000-memory.dmp family_andromeda behavioral2/memory/2068-16-0x0000000000380000-0x0000000000385000-memory.dmp family_andromeda -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\60687 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\ccmotvuuc.pif" msiexec.exe -
Blocklisted process makes network request 25 IoCs
flow pid Process 16 2068 msiexec.exe 17 2068 msiexec.exe 18 2068 msiexec.exe 19 2068 msiexec.exe 20 2068 msiexec.exe 21 2068 msiexec.exe 22 2068 msiexec.exe 23 2068 msiexec.exe 24 2068 msiexec.exe 28 2068 msiexec.exe 29 2068 msiexec.exe 30 2068 msiexec.exe 31 2068 msiexec.exe 59 2068 msiexec.exe 60 2068 msiexec.exe 61 2068 msiexec.exe 62 2068 msiexec.exe 63 2068 msiexec.exe 64 2068 msiexec.exe 65 2068 msiexec.exe 66 2068 msiexec.exe 67 2068 msiexec.exe 68 2068 msiexec.exe 69 2068 msiexec.exe 70 2068 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3304 set thread context of 3964 3304 fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe 82 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\LOCALS~1\Temp\ccmotvuuc.pif msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3964 fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe 3964 fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3304 wrote to memory of 3964 3304 fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe 82 PID 3304 wrote to memory of 3964 3304 fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe 82 PID 3304 wrote to memory of 3964 3304 fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe 82 PID 3304 wrote to memory of 3964 3304 fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe 82 PID 3304 wrote to memory of 3964 3304 fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe 82 PID 3304 wrote to memory of 3964 3304 fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe 82 PID 3964 wrote to memory of 2068 3964 fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe 83 PID 3964 wrote to memory of 2068 3964 fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe 83 PID 3964 wrote to memory of 2068 3964 fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe"C:\Users\Admin\AppData\Local\Temp\fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Users\Admin\AppData\Local\Temp\fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe"C:\Users\Admin\AppData\Local\Temp\fcf6ef18e45949e66e79c580b7f92b9097c41dba3b2976f3235b2f93c7f95082.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\syswow64\msiexec.exe3⤵
- Adds policy Run key to start application
- Blocklisted process makes network request
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2068
-
-