3b3f4a3370531384f28b9f184200e7accd43c2e19248c2f60897a515654e5381

Analysis

max time kernel
41s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/06/2023, 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO TTRQMCZX 36667981265 TTRPO-MTCCAWQQ768992.exe
Size

1.0MB
MD5

5253fbec568c6212f071cd432c69d8c5
SHA1

eecffc0ceafb9e62f079add7c9fa7e5644d5999b
SHA256

3b3f4a3370531384f28b9f184200e7accd43c2e19248c2f60897a515654e5381
SHA512

34485263cff4e516a881f034bbbadfb9247a7c0853bdfb8eb5b4b84eadbba591368d737dd285e38e0e975584d79119b0a94fa03d73547e34380b055e80dce33d
SSDEEP

24576:TTbBv5rUImcyutZfb8ZK/UWlgbr0hspaAcKEby9Iuls:NBESZInW/gaAcei

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1684	jlthguatni.icm

Loads dropped DLL 2 IoCs

pid	Process
516	cmd.exe
516	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	jlthguatni.icm
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "0\\ishc\\jlthguatni.icm 0\\ishc\\fjgtsdjeq.mp3"	jlthguatni.icm

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
868	ipconfig.exe
1252	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1684	jlthguatni.icm
1684	jlthguatni.icm
1684	jlthguatni.icm
1684	jlthguatni.icm
1684	jlthguatni.icm
1684	jlthguatni.icm
1684	jlthguatni.icm
1684	jlthguatni.icm

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 1776	1248	PO TTRQMCZX 36667981265 TTRPO-MTCCAWQQ768992.exe	27
PID 1248 wrote to memory of 1776	1248	PO TTRQMCZX 36667981265 TTRPO-MTCCAWQQ768992.exe	27
PID 1248 wrote to memory of 1776	1248	PO TTRQMCZX 36667981265 TTRPO-MTCCAWQQ768992.exe	27
PID 1248 wrote to memory of 1776	1248	PO TTRQMCZX 36667981265 TTRPO-MTCCAWQQ768992.exe	27
PID 1776 wrote to memory of 856	1776	wscript.exe	28
PID 1776 wrote to memory of 856	1776	wscript.exe	28
PID 1776 wrote to memory of 856	1776	wscript.exe	28
PID 1776 wrote to memory of 856	1776	wscript.exe	28
PID 1776 wrote to memory of 516	1776	wscript.exe	30
PID 1776 wrote to memory of 516	1776	wscript.exe	30
PID 1776 wrote to memory of 516	1776	wscript.exe	30
PID 1776 wrote to memory of 516	1776	wscript.exe	30
PID 856 wrote to memory of 868	856	cmd.exe	32
PID 856 wrote to memory of 868	856	cmd.exe	32
PID 856 wrote to memory of 868	856	cmd.exe	32
PID 856 wrote to memory of 868	856	cmd.exe	32
PID 516 wrote to memory of 1684	516	cmd.exe	33
PID 516 wrote to memory of 1684	516	cmd.exe	33
PID 516 wrote to memory of 1684	516	cmd.exe	33
PID 516 wrote to memory of 1684	516	cmd.exe	33
PID 1776 wrote to memory of 1304	1776	wscript.exe	34
PID 1776 wrote to memory of 1304	1776	wscript.exe	34
PID 1776 wrote to memory of 1304	1776	wscript.exe	34
PID 1776 wrote to memory of 1304	1776	wscript.exe	34
PID 1304 wrote to memory of 1252	1304	cmd.exe	36
PID 1304 wrote to memory of 1252	1304	cmd.exe	36
PID 1304 wrote to memory of 1252	1304	cmd.exe	36
PID 1304 wrote to memory of 1252	1304	cmd.exe	36
PID 1684 wrote to memory of 796	1684	jlthguatni.icm	37
PID 1684 wrote to memory of 796	1684	jlthguatni.icm	37
PID 1684 wrote to memory of 796	1684	jlthguatni.icm	37
PID 1684 wrote to memory of 796	1684	jlthguatni.icm	37

C:\Users\Admin\AppData\Local\Temp\PO TTRQMCZX 36667981265 TTRPO-MTCCAWQQ768992.exe
"C:\Users\Admin\AppData\Local\Temp\PO TTRQMCZX 36667981265 TTRPO-MTCCAWQQ768992.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\System32\wscript.exe" osx.vbe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /release
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:868
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c jlthguatni.icm fjgtsdjeq.mp3
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:516
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\jlthguatni.icm
      jlthguatni.icm fjgtsdjeq.mp3
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1684
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"
        5⤵
        
        PID:796
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /renew
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /renew
      4⤵
      Gathers network information
      PID:1252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\RLJJCO~1.QSB

Filesize
364KB

MD5
e713483becb9dac6b2c754ea185d2e34

SHA1
7bddc22d3844cceb97fab8c234facdeeeea0a454

SHA256
2c8400d742a5f737ffb2ff600b7a70318eb90708caa94b45de2a5e62c9404284

SHA512
f855bdc53f15047df996727e88a3d39d457c706340b82cbd7c1e46fe25bd36922d5fe2c1d4fe8d07f25f8ddcd6e5580010b0142d43b70c30044ae0cd5a7c1e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bevccrft.mp3

Filesize
36KB

MD5
1c9a7a34f9454a2fd984315fb87cfa1d

SHA1
bfd3bc18ac7e99d32ddf69c8c2b78bb22036886c

SHA256
089761aa3d90632acd5833ab1ce3487b05f29cc354b3b9acab42a04147d49542

SHA512
0693c5bb890aa745c8176bb47481b0e01e24f8ff9922dcc8d73bead0e8a4c479ef9e5430d9334e2f3724901d70d698819f4e19632f1f5767c3015d3d3808f113

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fjgtsdjeq.mp3

Filesize
98.0MB

MD5
4d6b295f79c89bcd8f1f531aab594a27

SHA1
533b48198ae296a4a7300950e8a02b1b164b9e60

SHA256
28a4cebc8d78ef6242eb2aec56d074e2f8ec9e41a32e2125d86cfa4a24ece423

SHA512
1be689befe060970cef6b7c613c78f7e5b365b3ef5e78eaef6fa83ecb775cc74f00b99b148ecc9b2242881cb86abbf62d96b31c480f139af7338750eaf388647

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jlthguatni.icm

Filesize
996KB

MD5
e39331a6a5d0e3db750d5895ba436327

SHA1
5e56162e7172b2c3052a666b1b65d920aed24e8b

SHA256
29de18be1d849d3b2d8bd167082310c00af38ce7e9df97e9e0a297bd51e2c811

SHA512
e2f9c71bec31055a70277ed85f634ae986852ff96d72fd810b687daf076d7328cf6afa8bf11004579e37ba9ef6f89616bc31283257bd56fc40c2694ed02115f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jlthguatni.icm

Filesize
996KB

MD5
e39331a6a5d0e3db750d5895ba436327

SHA1
5e56162e7172b2c3052a666b1b65d920aed24e8b

SHA256
29de18be1d849d3b2d8bd167082310c00af38ce7e9df97e9e0a297bd51e2c811

SHA512
e2f9c71bec31055a70277ed85f634ae986852ff96d72fd810b687daf076d7328cf6afa8bf11004579e37ba9ef6f89616bc31283257bd56fc40c2694ed02115f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\osx.vbe

Filesize
35KB

MD5
d8a5394db67226a7f82729e08a7f308d

SHA1
11976bd354e81f88169b0c6fb3668b791992a146

SHA256
52dde85a83c637fb4d53436d35dd500534b148d38a50ebaa9481cd157bc4dace

SHA512
105b0b92e2acc14e6e3d87fd292d7f0ca1eb1c32e3b9e8f3630a31446ce5b5cbac7d417529016500e23c9e98ce4727b0dd09df9f44243df6ec3144749aef6e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs

Filesize
135B

MD5
4d3f006ee7d5afaadafb8c085cf679ad

SHA1
4a2748557bba455b33db10738cf510f891f4eb3d

SHA256
d80be19c5e367d03417c725ffa2d4457c19c63d8027279efd0a57878626de4e9

SHA512
4ad1270b762de93eb6cae6df3ddaf2be1a3e58275f0bc522fcbf03e519b3e9620f0741ab911e9d05e5d99e6eeb47abaa272fbe580db98eb0241d7323f2d3b2ba

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\jlthguatni.icm

Filesize
996KB

MD5
e39331a6a5d0e3db750d5895ba436327

SHA1
5e56162e7172b2c3052a666b1b65d920aed24e8b

SHA256
29de18be1d849d3b2d8bd167082310c00af38ce7e9df97e9e0a297bd51e2c811

SHA512
e2f9c71bec31055a70277ed85f634ae986852ff96d72fd810b687daf076d7328cf6afa8bf11004579e37ba9ef6f89616bc31283257bd56fc40c2694ed02115f8

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\jlthguatni.icm

Filesize
996KB

MD5
e39331a6a5d0e3db750d5895ba436327

SHA1
5e56162e7172b2c3052a666b1b65d920aed24e8b

SHA256
29de18be1d849d3b2d8bd167082310c00af38ce7e9df97e9e0a297bd51e2c811

SHA512
e2f9c71bec31055a70277ed85f634ae986852ff96d72fd810b687daf076d7328cf6afa8bf11004579e37ba9ef6f89616bc31283257bd56fc40c2694ed02115f8

Download Submit