Overview

overview

8

Static

static

3

7cb7086237...28.exe

windows7-x64

8

7cb7086237...28.exe

windows10-2004-x64

8

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PROGRAMFI...it.dll

windows7-x64

1

$PROGRAMFI...it.dll

windows10-2004-x64

1

$PROGRAMFI...ge.dll

windows7-x64

1

$PROGRAMFI...ge.dll

windows10-2004-x64

1

$PROGRAMFI...er.dll

windows7-x64

1

$PROGRAMFI...er.dll

windows10-2004-x64

1

fuk.exe

windows7-x64

7

fuk.exe

windows10-2004-x64

7

vts.exe

windows7-x64

8

vts.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/01/2024, 09:05

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    7cb7086237327a68a89f9ffebbe5a228.exe

  • Size

    1.0MB

  • MD5

    7cb7086237327a68a89f9ffebbe5a228

  • SHA1

    7384435fe71c6c8275fb5204218da4900ef27f48

  • SHA256

    621130bec2ab9105386df86d03072ec6762e510b5706614678555137cf8603c6

  • SHA512

    469f2078bb1851a502e89639528484e9e175576f0bfac30cfcca259b7d5d740ac8c1787242f65c2f54f7fa3419003750171c8797ed99bd6b11cde7839e503c41

  • SSDEEP

    24576:la81Z/0sin7rvPmds+nx9XkOFDlerCkGhQZ8t/4wPVii9WA:V1ZHin7rx+xFkoBerCkGhjbVinA

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7cb7086237327a68a89f9ffebbe5a228.exe
    "C:\Users\Admin\AppData\Local\Temp\7cb7086237327a68a89f9ffebbe5a228.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4972
    • C:\Users\Admin\AppData\Local\Temp\yankee\vts.exe
      "C:\Users\Admin\AppData\Local\Temp\yankee\vts.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3972
      • C:\Windows\SysWOW64\dllhost.exe
        dllhost.exe
        3⤵
          PID:4692
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c cmd < Parve.vss
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4876
          • C:\Windows\SysWOW64\cmd.exe
            cmd
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3132
            • C:\Windows\SysWOW64\findstr.exe
              findstr /V /R "^LMdJCxRSRoddjdlTxyoqClWafTdkkbEWYdXeiJSojeIIDRNHLutVIRNBQXzJtFGzDxaWziMKjZNmBhOnyJAyaIhuCcjpdprGvgtpm$" Puramente.vss
              5⤵
                PID:4804
              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Larghe.exe.com
                Larghe.exe.com V
                5⤵
                • Executes dropped EXE
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:4368
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Larghe.exe.com
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Larghe.exe.com V
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks processor information in registry
                  • Modifies registry class
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of WriteProcessMemory
                  PID:3796
                  • C:\Windows\SysWOW64\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\peymhwotgtk.vbs"
                    7⤵
                    • Blocklisted process makes network request
                    PID:8
              • C:\Windows\SysWOW64\PING.EXE
                ping ZHCNTALV -n 30
                5⤵
                • Runs ping.exe
                PID:3872
        • C:\Users\Admin\AppData\Local\Temp\yankee\fuk.exe
          "C:\Users\Admin\AppData\Local\Temp\yankee\fuk.exe"
          2⤵
          • Drops startup file
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1784
          • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
            "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: AddClipboardFormatListener
            PID:4424
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 968
            3⤵
            • Program crash
            PID:1660
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1784 -ip 1784
        1⤵
          PID:4928

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\D4A6.tmp
                Filesize

                313B

                MD5

                bee55e52500f967c3d9402e05dd57f65

                SHA1

                d8dc65ec97c6288e1fd10b8c4f8502e5a8a5bbf6

                SHA256

                b90eae4b05d321efc4519963349c1775dcea8e3b0ae53b50285545380b6539c0

                SHA512

                b8624a934fb74760f5b231ca97e89074b227ad9fe3bb08b01a81cf35760f06b346f395cf6683df5881dc429ae77af0d0a07cfeb9c9ec127e4e917191bf8c91da

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Larghe.exe.com
                Filesize

                248KB

                MD5

                9f2f64efd5eab0d18fcae6fcbcbbdbce

                SHA1

                e578609f228dcd87259c41653d5c572a694a73e4

                SHA256

                f7d6d76bf792f9eb37289c625d09ef3e0cef8c619c2ec56d0dfe06978b8ede49

                SHA512

                855571d6ece80d3fe633e1468e93f960e30f0cbb783981fb17a7f75fd29c0a67a57a69bc5feae7f61696d434ace05c16c5e6c857fb888bc1beef543a602621ea

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Larghe.exe.com
                Filesize

                280KB

                MD5

                230a604c60b24832104c17239a5f4bee

                SHA1

                2c540a5339de7482a169e417fe95d6829853a763

                SHA256

                5bddc59af1a042d645d63ef22694a3ad3335f868549d3f28997e105a6d6240c4

                SHA512

                0453e3b4346a69d18e3c80911912da020ebb89c403717505b4c7f214dd41e0817cedb337526a5ac6512ad22ddd06c16b7884d8f03db3aaf4c7da42864913a4ad

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Larghe.exe.com
                Filesize

                872KB

                MD5

                c56b5f0201a3b3de53e561fe76912bfd

                SHA1

                2a4062e10a5de813f5688221dbeb3f3ff33eb417

                SHA256

                237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

                SHA512

                195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Parve.vss
                Filesize

                491B

                MD5

                6193206b845ad943cc6711d8fc9a4a96

                SHA1

                f04440a3e4596312a9090450aed7bf1c1dfec347

                SHA256

                8a8e1bb6d656364da887d31555ca97a5173c71c8bd18a317f2ac8c4eac094079

                SHA512

                371523630141d273b575d87ade03829c1a08a2d17d44a8a5b8a4313ccd71d26ba8badd524bbbe59d9d4dd474355f2e70aa40b204f79053ba8802418f0c600f81

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Puramente.vss
                Filesize

                405KB

                MD5

                d286a5a841a88c48d543d17e3fdaf0cb

                SHA1

                b1f90c8e984361643ccdd516defd64687b698b95

                SHA256

                801d1b6a9aab7b07e79c15e08933b230817cbbf173bec02e8a014b477db524f8

                SHA512

                b573b6f25afa81cc3c33631742421f075c23bd92ded375ddc3395de845abcd047116950a2cc870a17f38a30cf0e7f49f32bd0ce32d9ca0a312d69cd2a9aac776

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Udi.vss
                Filesize

                294KB

                MD5

                68cd506e379715e8123da907aab352a5

                SHA1

                146b47016c4dfb1a715385968d41b4ddda321cde

                SHA256

                ea8812d667219a057ba11f10858a4be8bf53863760f588051ffe5b76515665df

                SHA512

                da12c51ccf6700bcab269446dd012f0ff9529a924c75ee533abf747415c6a541ef344faf59552305b9442ced3463bc8a9d0b3cc8466d0134ba2e448a0dce58c6

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\V
                Filesize

                246KB

                MD5

                00a2e02507fc4ef1c654f8cabbd47ba8

                SHA1

                f8491fec807229096208ef7aad4e65482d28e021

                SHA256

                b5d595bd12233c5ccab775961caf207b354e53e95cf83b8ef137dea09a3b100f

                SHA512

                0cccefef3eca6f07558823acf589604f16fa11e3f93cb54a037d6f00cbc1b3a552d52c6630d1e94d63e5bee19475b54e656df0e8ff279b3174e241a43fdd37ca

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\nsh4BFE.tmp\UAC.dll
                Filesize

                14KB

                MD5

                adb29e6b186daa765dc750128649b63d

                SHA1

                160cbdc4cb0ac2c142d361df138c537aa7e708c9

                SHA256

                2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

                SHA512

                b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\peymhwotgtk.vbs
                Filesize

                136B

                MD5

                69d8da9bed4f0de7cdba4fcf6fe20040

                SHA1

                c221e272d7cfbbf1cd76ea4854e142bb87114b9e

                SHA256

                caf711e5537765906df7c42b61e8d4f9f28eeb065c8a7c7bdfbc5e6823f1fd92

                SHA512

                16117ad3aee825ff72d600835a6c754e7fe1cf77a9bbc09b85c1aaa75dd710af31fccdeb93033ae273b97dc817c3f674f1ec39e57a6dc53b24faa8caf7708fd4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\yankee\fuk.exe
                Filesize

                295KB

                MD5

                75ea00138e7b6d0c9a518c975068ec43

                SHA1

                1a5505b10dda0b54f69e54afa6c86ccef3a26d54

                SHA256

                dba8d246dde96cb992ef6b6ff482e9ef047b8f7f2233b0a4a037fc3d50df2edb

                SHA512

                ec5a6fe268ec0c6bd0921bbdf638ce827ebc87128701a6ad6f33a038173318a3695a1ec9189a100969e14628b7313efc5c14abf0937a8a6fef74ab72cb6b3a85

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\yankee\vts.exe
                Filesize

                436KB

                MD5

                d34f1e846b84b962ce183e687faf0a3a

                SHA1

                1c6393e88cd9028f5a1973a9667a4eaaf9c029f9

                SHA256

                aecdad45dae504bbb04ab9e097e9e098fffb50e68f6e126a2ab33d2e6aee8147

                SHA512

                055a38b89a5ace26dcda47837c05eda71d54e67aaf204954e50e9ec5931edd85ebd8af3e484583708f506a27731d7c633b640dfbd620b3a327d5f4c9b88e7a7b

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
                Filesize

                187KB

                MD5

                6491818f93c5d1c40445d02a965291d4

                SHA1

                7ff6d9e032d088ab7204e63d24c9abab2acc4afa

                SHA256

                abc824d97eabd9ce5ef8e65ae8fedd1c21eb89848b707399da88f9a429984f71

                SHA512

                fc3a70c73279e2e38bc88c1fad2df5ddbd25afcd61a9f29a65c31732511a6832c9e9d10bd034bb726e467b369306131825ccc54c868eadd0731026eac1bac86a

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
                Filesize

                203KB

                MD5

                9f57252087bfada7cd4d22790b98d0b2

                SHA1

                19d4cbf1326f9d7b41a2a1d1f144762e0173e9e3

                SHA256

                e2ffd5f6810337336b93c907a177d1d33decad7bc94fca2eb787e0cd1ec23fdc

                SHA512

                e76f803f433c053f25ac04f2711ea3f469fa4ffb59bfd920f3f72d8d6aaaa3c8c522aded536f7062082c53c3a42dee6329ff226c22486db5f90d195581e7b70f

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
                Filesize

                187KB

                MD5

                6171613a23cfc34273f9de965bcfbd52

                SHA1

                c4a14c9366539fae184b097898d78b95c7de567a

                SHA256

                d873ba4a307b2343654d9b602c3e30d3321a680943dd042740e3e126d5a9bf04

                SHA512

                dcb99269254fcf47f33f5c852b141899e1d1ab25b6ee033f1ae6b76435cf74184b6dcd558109b673e959c6295e5b2893427e60fbaab91818d178c45e99320bae

                Download Submit

              • memory/1784-46-0x0000000000400000-0x00000000023B4000-memory.dmp

                Filesize

                31.7MB

                Download

              • memory/1784-47-0x0000000000400000-0x00000000023B4000-memory.dmp

                Filesize

                31.7MB

                Download

              • memory/1784-36-0x0000000002590000-0x0000000002690000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/1784-38-0x0000000002520000-0x0000000002546000-memory.dmp

                Filesize

                152KB

                Download

              • memory/3796-55-0x00000000043A0000-0x00000000043C7000-memory.dmp

                Filesize

                156KB

                Download

              • memory/3796-53-0x00000000043A0000-0x00000000043C7000-memory.dmp

                Filesize

                156KB

                Download

              • memory/3796-56-0x00000000043A0000-0x00000000043C7000-memory.dmp

                Filesize

                156KB

                Download

              • memory/3796-57-0x00000000043A0000-0x00000000043C7000-memory.dmp

                Filesize

                156KB

                Download

              • memory/3796-59-0x00000000043A0000-0x00000000043C7000-memory.dmp

                Filesize

                156KB

                Download

              • memory/3796-54-0x00000000043A0000-0x00000000043C7000-memory.dmp

                Filesize

                156KB

                Download

              • memory/3796-52-0x00000000043A0000-0x00000000043C7000-memory.dmp

                Filesize

                156KB

                Download

              • memory/3796-74-0x00000000043A0000-0x00000000043C7000-memory.dmp

                Filesize

                156KB

                Download

              • memory/4424-48-0x0000000002540000-0x0000000002640000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/4424-58-0x0000000002540000-0x0000000002640000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/4424-49-0x0000000000400000-0x00000000023B4000-memory.dmp

                Filesize

                31.7MB

                Download