Analysis
-
max time kernel
63s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20/01/2025, 01:23 UTC
Behavioral task
behavioral1
Sample
aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe
Resource
win10v2004-20241007-en
General
-
Target
aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe
-
Size
2.2MB
-
MD5
bcf5559020787f325c89ab5a51e24e2b
-
SHA1
5132b44f2cc8c7c223ab4406825de6d9b0b9122a
-
SHA256
aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391
-
SHA512
0f1e505ef4d96a7265596feb34b3b85f2b18ba786b339cf4f7276b25aea4a9ce1f54a176aaf66b127e1d814386c1151f65ff7ec875c1fcb9c62a2a3eb3209988
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZz:0UzeyQMS4DqodCnoe+iitjWwwP
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2948 set thread context of 2716 2948 aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe 31 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2716 aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe 2716 aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2948 wrote to memory of 2772 2948 aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe 30 PID 2948 wrote to memory of 2772 2948 aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe 30 PID 2948 wrote to memory of 2772 2948 aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe 30 PID 2948 wrote to memory of 2772 2948 aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe 30 PID 2948 wrote to memory of 2716 2948 aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe 31 PID 2948 wrote to memory of 2716 2948 aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe 31 PID 2948 wrote to memory of 2716 2948 aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe 31 PID 2948 wrote to memory of 2716 2948 aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe 31 PID 2948 wrote to memory of 2716 2948 aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe 31 PID 2948 wrote to memory of 2716 2948 aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe"C:\Users\Admin\AppData\Local\Temp\aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2772
-
-
C:\Users\Admin\AppData\Local\Temp\aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe"C:\Users\Admin\AppData\Local\Temp\aa96e5d2733c99c712a78d3af30cc5fe83bb2aad00d5061c5e287cf7d91c2391.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962