Analysis
-
max time kernel
40s -
max time network
46s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 13:21
Static task
static1
Behavioral task
behavioral1
Sample
9.7.6/9.7.6.lnk
Resource
win7-20240611-en
General
-
Target
9.7.6/9.7.6.lnk
-
Size
1KB
-
MD5
e1a00ff52e4d478249296f61b03f8058
-
SHA1
65ae2d5d15cafc30f29684a68e6fd77aff94f138
-
SHA256
ff9d3aa1b5ba533768b7b4d30e6f42d27edd12461b83a19802889276b0a4237c
-
SHA512
d6157c327162da38647b8c5aeeac88a9042fd73ffb7606f8dc5b9981d27defcf127f7f34d2ed937988ce35c1ecd7b713c6378d96c1c1714ddd1702deeace49d8
Malware Config
Extracted
Protocol: ftp- Host:
94.156.8.173 - Port:
21 - Username:
anonymous - Password:
anonymous@
Extracted
lumma
https://foodypannyjsud.shop/api
https://potterryisiw.shop/api
https://contintnetksows.shop/api
https://reinforcedirectorywd.shop/api
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
update.exepid process 4592 update.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
update.exedescription pid process target process PID 4592 set thread context of 1356 4592 update.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1860 4592 WerFault.exe update.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
test.exepid process 4864 test.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
cmd.exetest.execmd.exeupdate.exedescription pid process target process PID 3716 wrote to memory of 4864 3716 cmd.exe test.exe PID 3716 wrote to memory of 4864 3716 cmd.exe test.exe PID 4864 wrote to memory of 1116 4864 test.exe cmd.exe PID 4864 wrote to memory of 1116 4864 test.exe cmd.exe PID 1116 wrote to memory of 4592 1116 cmd.exe update.exe PID 1116 wrote to memory of 4592 1116 cmd.exe update.exe PID 1116 wrote to memory of 4592 1116 cmd.exe update.exe PID 4592 wrote to memory of 3436 4592 update.exe RegAsm.exe PID 4592 wrote to memory of 3436 4592 update.exe RegAsm.exe PID 4592 wrote to memory of 3436 4592 update.exe RegAsm.exe PID 4592 wrote to memory of 2504 4592 update.exe RegAsm.exe PID 4592 wrote to memory of 2504 4592 update.exe RegAsm.exe PID 4592 wrote to memory of 2504 4592 update.exe RegAsm.exe PID 4592 wrote to memory of 1356 4592 update.exe RegAsm.exe PID 4592 wrote to memory of 1356 4592 update.exe RegAsm.exe PID 4592 wrote to memory of 1356 4592 update.exe RegAsm.exe PID 4592 wrote to memory of 1356 4592 update.exe RegAsm.exe PID 4592 wrote to memory of 1356 4592 update.exe RegAsm.exe PID 4592 wrote to memory of 1356 4592 update.exe RegAsm.exe PID 4592 wrote to memory of 1356 4592 update.exe RegAsm.exe PID 4592 wrote to memory of 1356 4592 update.exe RegAsm.exe PID 4592 wrote to memory of 1356 4592 update.exe RegAsm.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\9.7.6\9.7.6.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9.7.6\test.dist\test.exe"C:\Users\Admin\AppData\Local\Temp\9.7.6\test.dist\test.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp7fu3ohmh\update.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp7fu3ohmh\update.exeC:\Users\Admin\AppData\Local\Temp\tmp7fu3ohmh\update.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 3285⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4592 -ip 45921⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7fu3ohmh\update.exeFilesize
520KB
MD5d4f63513d2b56e6185436de3d4f01540
SHA105bc1e772f50df2c9304a6c8c62f1686a7c44e32
SHA256d3b5d0061fad4b8d09eeffdba62a4f662f64c36cd1862002a05197f76cace4c6
SHA5126f00b734e0cc0c92406c727471eae977b187e45571ca3ad17f797d8a2a079c25384b1d4fef802cc36da7537c893b32bca89de16586317a66db5ebe83f14532a0
-
memory/1356-12-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/1356-13-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/4864-5-0x00007FFEF7EB0000-0x00007FFEF7EDA000-memory.dmpFilesize
168KB
-
memory/4864-4-0x00007FF6CAEB0000-0x00007FF6CCD5F000-memory.dmpFilesize
30.7MB
-
memory/4864-15-0x00007FF6CAEB0000-0x00007FF6CCD5F000-memory.dmpFilesize
30.7MB
-
memory/4864-18-0x00007FFEF7EB0000-0x00007FFEF7EDA000-memory.dmpFilesize
168KB
-
memory/4864-17-0x00007FF6CAEB0000-0x00007FF6CCD5F000-memory.dmpFilesize
30.7MB