Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 16:28
Static task
static1
Behavioral task
behavioral1
Sample
69be5428a0e939a5bf4453b34aad1a86791ab75411b6a339d727197f82bc8411.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
69be5428a0e939a5bf4453b34aad1a86791ab75411b6a339d727197f82bc8411.exe
Resource
win10v2004-20241007-en
General
-
Target
69be5428a0e939a5bf4453b34aad1a86791ab75411b6a339d727197f82bc8411.exe
-
Size
701KB
-
MD5
5890798f97f9144206499433a5db3011
-
SHA1
1c9c488123a81bf8d2216ac57c089e056f899433
-
SHA256
69be5428a0e939a5bf4453b34aad1a86791ab75411b6a339d727197f82bc8411
-
SHA512
964f340060a67abed11d06ac40cb8cb2577f985e8815cc12f306e37a716792ae8edac02645d0cddeea5d81f72ef402363c909b6f510eb2a37c76f1cf56caada9
-
SSDEEP
6144:57A/MmghsENIsRctX5rUvQSNj0LZOWM8yucn:5U/Mv0rU1Nj0LZOd8yus
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1620 set thread context of 2764 1620 69be5428a0e939a5bf4453b34aad1a86791ab75411b6a339d727197f82bc8411.exe 33 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 69be5428a0e939a5bf4453b34aad1a86791ab75411b6a339d727197f82bc8411.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 69be5428a0e939a5bf4453b34aad1a86791ab75411b6a339d727197f82bc8411.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeShutdownPrivilege 3044 explorer.exe Token: SeShutdownPrivilege 3044 explorer.exe Token: SeShutdownPrivilege 3044 explorer.exe Token: SeShutdownPrivilege 3044 explorer.exe Token: SeShutdownPrivilege 3044 explorer.exe Token: SeShutdownPrivilege 3044 explorer.exe Token: SeShutdownPrivilege 3044 explorer.exe Token: SeShutdownPrivilege 3044 explorer.exe Token: SeShutdownPrivilege 3044 explorer.exe Token: SeShutdownPrivilege 3044 explorer.exe Token: SeShutdownPrivilege 3044 explorer.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe 3044 explorer.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1620 wrote to memory of 3044 1620 69be5428a0e939a5bf4453b34aad1a86791ab75411b6a339d727197f82bc8411.exe 30 PID 1620 wrote to memory of 3044 1620 69be5428a0e939a5bf4453b34aad1a86791ab75411b6a339d727197f82bc8411.exe 30 PID 1620 wrote to memory of 3044 1620 69be5428a0e939a5bf4453b34aad1a86791ab75411b6a339d727197f82bc8411.exe 30 PID 1620 wrote to memory of 3044 1620 69be5428a0e939a5bf4453b34aad1a86791ab75411b6a339d727197f82bc8411.exe 30 PID 3044 wrote to memory of 1860 3044 explorer.exe 31 PID 3044 wrote to memory of 1860 3044 explorer.exe 31 PID 3044 wrote to memory of 1860 3044 explorer.exe 31 PID 1620 wrote to memory of 2764 1620 69be5428a0e939a5bf4453b34aad1a86791ab75411b6a339d727197f82bc8411.exe 33 PID 1620 wrote to memory of 2764 1620 69be5428a0e939a5bf4453b34aad1a86791ab75411b6a339d727197f82bc8411.exe 33 PID 1620 wrote to memory of 2764 1620 69be5428a0e939a5bf4453b34aad1a86791ab75411b6a339d727197f82bc8411.exe 33 PID 1620 wrote to memory of 2764 1620 69be5428a0e939a5bf4453b34aad1a86791ab75411b6a339d727197f82bc8411.exe 33 PID 1620 wrote to memory of 2764 1620 69be5428a0e939a5bf4453b34aad1a86791ab75411b6a339d727197f82bc8411.exe 33 PID 1620 wrote to memory of 2764 1620 69be5428a0e939a5bf4453b34aad1a86791ab75411b6a339d727197f82bc8411.exe 33 PID 1620 wrote to memory of 2764 1620 69be5428a0e939a5bf4453b34aad1a86791ab75411b6a339d727197f82bc8411.exe 33 PID 1620 wrote to memory of 2764 1620 69be5428a0e939a5bf4453b34aad1a86791ab75411b6a339d727197f82bc8411.exe 33 PID 1620 wrote to memory of 2764 1620 69be5428a0e939a5bf4453b34aad1a86791ab75411b6a339d727197f82bc8411.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\69be5428a0e939a5bf4453b34aad1a86791ab75411b6a339d727197f82bc8411.exe"C:\Users\Admin\AppData\Local\Temp\69be5428a0e939a5bf4453b34aad1a86791ab75411b6a339d727197f82bc8411.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\system32\ctfmon.exectfmon.exe3⤵PID:1860
-
-
-
C:\Users\Admin\AppData\Local\Temp\69be5428a0e939a5bf4453b34aad1a86791ab75411b6a339d727197f82bc8411.exe"C:\Users\Admin\AppData\Local\Temp\69be5428a0e939a5bf4453b34aad1a86791ab75411b6a339d727197f82bc8411.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2764
-