74602e4cc9f25828cf5dc3b213c09e68cf95e15bfcf477bdba2b109c73cc0a79

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 20:35 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

061d0c491d5c672cec51c3e499e3cb60N.exe
Size

436KB
MD5

061d0c491d5c672cec51c3e499e3cb60
SHA1

39a52fdd2b769ed9217ce6b08f9bd2ef44149418
SHA256

74602e4cc9f25828cf5dc3b213c09e68cf95e15bfcf477bdba2b109c73cc0a79
SHA512

b003edaed30bb45b25772bf06564d11f7db751b6528dae1e762f4d5f0b6cbd02f18b132459a3a7b23a81687d0aff71dadae2e96c86c200cec837f99cf6de951c
SSDEEP

3072:sgsCs5apuKRZZ5AyFZG8iJAXnZqRhvQO3V+lzs+B0MwXMAsYmpmd/h1:sgE5awKTgyFZG8iCnZq3vXf80MUmpmr1

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2968	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2364	wininit32.exe

Loads dropped DLL 2 IoCs

pid	Process
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wininit32.exe	061d0c491d5c672cec51c3e499e3cb60N.exe
File opened for modification	C:\Windows\SysWOW64\wininit32.exe	061d0c491d5c672cec51c3e499e3cb60N.exe
File created	C:\Windows\SysWOW64\wininit32.exe	wininit32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	061d0c491d5c672cec51c3e499e3cb60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2364	wininit32.exe
2364	wininit32.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2364	wininit32.exe
2364	wininit32.exe
2036	061d0c491d5c672cec51c3e499e3cb60N.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe
2364	wininit32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2364	2036	061d0c491d5c672cec51c3e499e3cb60N.exe	30
PID 2036 wrote to memory of 2364	2036	061d0c491d5c672cec51c3e499e3cb60N.exe	30
PID 2036 wrote to memory of 2364	2036	061d0c491d5c672cec51c3e499e3cb60N.exe	30
PID 2036 wrote to memory of 2364	2036	061d0c491d5c672cec51c3e499e3cb60N.exe	30
PID 2036 wrote to memory of 2968	2036	061d0c491d5c672cec51c3e499e3cb60N.exe	31
PID 2036 wrote to memory of 2968	2036	061d0c491d5c672cec51c3e499e3cb60N.exe	31
PID 2036 wrote to memory of 2968	2036	061d0c491d5c672cec51c3e499e3cb60N.exe	31
PID 2036 wrote to memory of 2968	2036	061d0c491d5c672cec51c3e499e3cb60N.exe	31

C:\Users\Admin\AppData\Local\Temp\061d0c491d5c672cec51c3e499e3cb60N.exe
"C:\Users\Admin\AppData\Local\Temp\061d0c491d5c672cec51c3e499e3cb60N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\wininit32.exe
  C:\Windows\system32\wininit32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\r2782.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\r2782.bat

Filesize
237B

MD5
2b9d4cdc909230010b3cf502ed159a7b

SHA1
d025303e0af296a8a153359cd225cd636218e1a5

SHA256
6136f5b698f6496f655a10c0b8d65cab7740ae1e2f2e5541fbde5f2443d5a58c

SHA512
db0ac5d388f7002ab7b0345dc0665bf94d620de2531f778ff46d627e8707349c1c6f03917d28b0b6ea17bb0717414d8c0df9199b2f7bd735afaabb125fb812db

Download Submit
\Windows\SysWOW64\wininit32.exe

Filesize
450KB

MD5
38262b884556218bf65b526ac8cd22fb

SHA1
bf775fd1f9da86c914193689ce7e82a3102260b1

SHA256
dc8b0f9f6095b5d7d63ee034ad0a648b79d4eea2cc58ea1041e35215c57480b8

SHA512
cddb65591c7ce575d555cbaaf5c23b891d7c855d6013c99db305812fff784c92947af734d755f33ba81e47f86b62be31b32184f0403ee7d0937266494fa60f7f

Download Submit
memory/2036-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2036-5-0x0000000001D10000-0x0000000001D3F000-memory.dmp

Filesize
188KB

Download
memory/2036-13-0x0000000001D10000-0x0000000001D3F000-memory.dmp

Filesize
188KB

Download
memory/2036-21-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2364-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download