2bfc1657c918035fab5fa2da8e4e76d54cf9b65ac1e65dcdede65cc19a6771f6

Analysis

max time kernel
1758s
max time network
1165s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

moduladordevoz.exe
Size

380KB
MD5

fdc726071430ada68e117f6f12f01322
SHA1

2daa8755f47713b00c1dbefe7d9c8e4c5690518b
SHA256

2bfc1657c918035fab5fa2da8e4e76d54cf9b65ac1e65dcdede65cc19a6771f6
SHA512

a5cb35ea0e5c6bb4553d258bcad76ea52db30370e84a065d6ca4e2924b08e6d2af85f6cde5dc99fc7c4e4396408a4fb390e2401026ae9698c1fcca3380f0aaeb
SSDEEP

6144:TMM8fApOSxvbaiwb7AyT21XOHxXAsEbzd/CAuQ0ykuyoJlbOSvT+Pn1IB:N8f8vbad7Aya0R47uZuxJ7vT+/C

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	moduladordevoz.exe

Executes dropped EXE 1 IoCs

pid	Process
100	TalkAny.exe

Loads dropped DLL 3 IoCs

pid	Process
100	TalkAny.exe
100	TalkAny.exe
100	TalkAny.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
100	TalkAny.exe
100	TalkAny.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 100	1508	moduladordevoz.exe	94
PID 1508 wrote to memory of 100	1508	moduladordevoz.exe	94
PID 1508 wrote to memory of 100	1508	moduladordevoz.exe	94

C:\Users\Admin\AppData\Local\Temp\moduladordevoz.exe
"C:\Users\Admin\AppData\Local\Temp\moduladordevoz.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Temp\Ogif\TalkAny\TalkAny.exe
  "C:\Temp\Ogif\TalkAny\TalkAny.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\Ogif\TalkAny\TIBASE32.dll

Filesize
78KB

MD5
2cb4f99812841f5271ea9fce41dddb46

SHA1
f4cb27de41b7c4138c1438eb79a4f3468b56f57e

SHA256
9297f69236b296238096baa1e9d00567fc74409b5a7ebe2565da71b27fcdc5cb

SHA512
e256da1350e600707a961ec155d6c34bad21a08fc5b7d8b14defe70b018a1473e5dc1cebe05139b902289bc995953db86139a64e6e0ff06bd62d85cf7654346c

Download Submit
C:\Temp\Ogif\TalkAny\TIENG32.DLL

Filesize
317KB

MD5
63ebdcc2ea86671601af678535aaaf9d

SHA1
680d14d8ad355f542677c1f0ae02d2f6c7b08ba9

SHA256
4e261dcdf4eca118cf75c39b2f52d5b00888de820df9e4e868183a039f25e98b

SHA512
d105a4cb3e40bd1cbf18bf60335df54bc7b1f78a6af236bd1acbacbe2e1268b98b3331edae923a40b7db3de2393cc20e5209258b126116234dadcce1a4c203e4

Download Submit
C:\Temp\Ogif\TalkAny\TISPAN32.DLL

Filesize
65KB

MD5
1e522006e572619dabe8713ebc83c27f

SHA1
b7a574f6763c405cac18d5930d4538ccf70d3824

SHA256
ccc3c0b35b42ef40e116a8ba5e6f40c1f303e00f6d6c31c9a9eac5994b1d5294

SHA512
7451e0de0c38709e965f473e5b721ef40760955cec58659abc5d60d2b6e8bb28b0fa15bcacdc194fa412563c97b6150c5708fdf2ec198054a48a212386b47ab7

Download Submit
C:\Temp\Ogif\TalkAny\TalkAny.exe

Filesize
534KB

MD5
bbc3687e84989e3f70f2179ba9a458b3

SHA1
7059147afcd22233c1180fa386414b8e9f8bc10c

SHA256
49534e847f24fdd727ada248666c5ebbbf7cefff54443df1dd56240cccb50a97

SHA512
e66f6881fb5e3f4a7911fd8edfae82f88d4c4089eab2efb180fbc5c0860edd298c85d838426e0ba4cec0d392ae76c470fcb442b9699c841d5919e008e5a5fac5

Download Submit