Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23/07/2024, 20:35 UTC

General

  • Target

    061d0c491d5c672cec51c3e499e3cb60N.exe

  • Size

    436KB

  • MD5

    061d0c491d5c672cec51c3e499e3cb60

  • SHA1

    39a52fdd2b769ed9217ce6b08f9bd2ef44149418

  • SHA256

    74602e4cc9f25828cf5dc3b213c09e68cf95e15bfcf477bdba2b109c73cc0a79

  • SHA512

    b003edaed30bb45b25772bf06564d11f7db751b6528dae1e762f4d5f0b6cbd02f18b132459a3a7b23a81687d0aff71dadae2e96c86c200cec837f99cf6de951c

  • SSDEEP

    3072:sgsCs5apuKRZZ5AyFZG8iJAXnZqRhvQO3V+lzs+B0MwXMAsYmpmd/h1:sgE5awKTgyFZG8iCnZq3vXf80MUmpmr1

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\061d0c491d5c672cec51c3e499e3cb60N.exe
    "C:\Users\Admin\AppData\Local\Temp\061d0c491d5c672cec51c3e499e3cb60N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\SysWOW64\wininit32.exe
      C:\Windows\system32\wininit32.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:2364
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\r2782.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\r2782.bat

    Filesize

    237B

    MD5

    2b9d4cdc909230010b3cf502ed159a7b

    SHA1

    d025303e0af296a8a153359cd225cd636218e1a5

    SHA256

    6136f5b698f6496f655a10c0b8d65cab7740ae1e2f2e5541fbde5f2443d5a58c

    SHA512

    db0ac5d388f7002ab7b0345dc0665bf94d620de2531f778ff46d627e8707349c1c6f03917d28b0b6ea17bb0717414d8c0df9199b2f7bd735afaabb125fb812db

  • \Windows\SysWOW64\wininit32.exe

    Filesize

    450KB

    MD5

    38262b884556218bf65b526ac8cd22fb

    SHA1

    bf775fd1f9da86c914193689ce7e82a3102260b1

    SHA256

    dc8b0f9f6095b5d7d63ee034ad0a648b79d4eea2cc58ea1041e35215c57480b8

    SHA512

    cddb65591c7ce575d555cbaaf5c23b891d7c855d6013c99db305812fff784c92947af734d755f33ba81e47f86b62be31b32184f0403ee7d0937266494fa60f7f

  • memory/2036-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2036-5-0x0000000001D10000-0x0000000001D3F000-memory.dmp

    Filesize

    188KB

  • memory/2036-13-0x0000000001D10000-0x0000000001D3F000-memory.dmp

    Filesize

    188KB

  • memory/2036-21-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2364-24-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.