Analysis
-
max time kernel
15s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 23:01
Static task
static1
Behavioral task
behavioral1
Sample
729ed839a7e876e8729b40e94da4193a9a1600387771f89adff0fdf23959e5ebN.exe
Resource
win7-20240729-en
General
-
Target
729ed839a7e876e8729b40e94da4193a9a1600387771f89adff0fdf23959e5ebN.exe
-
Size
2.0MB
-
MD5
dd03ae443c895e8ce439b1470c3bc050
-
SHA1
559163d693bb56d225d9dbd96a8abe8adad25193
-
SHA256
729ed839a7e876e8729b40e94da4193a9a1600387771f89adff0fdf23959e5eb
-
SHA512
f7548c524118ede20be11c294359d1919675a3dac04757d21ef7590b1ebe9d85c8161bb130b0ff168be4e64f1118fe7375f840d0c01d22908f0760e28942da47
-
SSDEEP
49152:9USaVTmnMWlSMichIn/Ex3Z13vD1YYYYYYYYYYYYYYYBO:9USaVinXkca/Exp1fDr
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2976 vbc.exe 2236 NEWFUD.EXE -
Loads dropped DLL 2 IoCs
pid Process 2296 729ed839a7e876e8729b40e94da4193a9a1600387771f89adff0fdf23959e5ebN.exe 2976 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\729ed839a7e876e8729b40e94da4193a9a1600387771f89adff0fdf23959e5ebN.exe" 729ed839a7e876e8729b40e94da4193a9a1600387771f89adff0fdf23959e5ebN.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2296 set thread context of 2976 2296 729ed839a7e876e8729b40e94da4193a9a1600387771f89adff0fdf23959e5ebN.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NEWFUD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 729ed839a7e876e8729b40e94da4193a9a1600387771f89adff0fdf23959e5ebN.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2864 DllHost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2864 DllHost.exe 2864 DllHost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2296 wrote to memory of 2976 2296 729ed839a7e876e8729b40e94da4193a9a1600387771f89adff0fdf23959e5ebN.exe 30 PID 2296 wrote to memory of 2976 2296 729ed839a7e876e8729b40e94da4193a9a1600387771f89adff0fdf23959e5ebN.exe 30 PID 2296 wrote to memory of 2976 2296 729ed839a7e876e8729b40e94da4193a9a1600387771f89adff0fdf23959e5ebN.exe 30 PID 2296 wrote to memory of 2976 2296 729ed839a7e876e8729b40e94da4193a9a1600387771f89adff0fdf23959e5ebN.exe 30 PID 2296 wrote to memory of 2976 2296 729ed839a7e876e8729b40e94da4193a9a1600387771f89adff0fdf23959e5ebN.exe 30 PID 2296 wrote to memory of 2976 2296 729ed839a7e876e8729b40e94da4193a9a1600387771f89adff0fdf23959e5ebN.exe 30 PID 2296 wrote to memory of 2976 2296 729ed839a7e876e8729b40e94da4193a9a1600387771f89adff0fdf23959e5ebN.exe 30 PID 2296 wrote to memory of 2976 2296 729ed839a7e876e8729b40e94da4193a9a1600387771f89adff0fdf23959e5ebN.exe 30 PID 2296 wrote to memory of 2976 2296 729ed839a7e876e8729b40e94da4193a9a1600387771f89adff0fdf23959e5ebN.exe 30 PID 2296 wrote to memory of 2976 2296 729ed839a7e876e8729b40e94da4193a9a1600387771f89adff0fdf23959e5ebN.exe 30 PID 2296 wrote to memory of 2976 2296 729ed839a7e876e8729b40e94da4193a9a1600387771f89adff0fdf23959e5ebN.exe 30 PID 2976 wrote to memory of 2236 2976 vbc.exe 31 PID 2976 wrote to memory of 2236 2976 vbc.exe 31 PID 2976 wrote to memory of 2236 2976 vbc.exe 31 PID 2976 wrote to memory of 2236 2976 vbc.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\729ed839a7e876e8729b40e94da4193a9a1600387771f89adff0fdf23959e5ebN.exe"C:\Users\Admin\AppData\Local\Temp\729ed839a7e876e8729b40e94da4193a9a1600387771f89adff0fdf23959e5ebN.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\vbc.exeC:\Users\Admin\AppData\Local\Temp\vbc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\NEWFUD.EXE"C:\Users\Admin\AppData\Local\Temp\NEWFUD.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2236
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD55da38f692b690e812faf16af37dbd33b
SHA1150b19e5f890fbba03345a7bc281a059d3c4cc0d
SHA25605d83398af7bc3b5e20527b9eb5a75513c329f624ad40b36e2fb6bbfdc662c1e
SHA512454ddc1bcd8fb30dd96c80913dc9f0b5072663d7610b3cc6605afed3db53d7f5bf3ba0d914d3f093f093aa205766c91e44e33ba3fda0364f3fc263b6b16b9926
-
Filesize
28KB
MD5dfabd849928204e2c7f8e483b2421de0
SHA11e0ecfd682a951cfaf9010817a76b0781dba2804
SHA25646dea00cd97f25c286c60d71d5083095dea577cf833f464ac73293d1504edc50
SHA512200b7a9b205ebd2849f3ca207a19cd56f265524cbbce74a569dca8dd36f6ae6bafe23243030898e17a31abcbfe1767744e7c61ab72fa2501b6a3d6881961e38e
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98