af41b9ac95c32686ba1ef373929b54f49088e5c4f295fe828b43b32b5160aa78

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af41b9ac95c32686ba1ef373929b54f49088e5c4f295fe828b43b32b5160aa78.exe
Size

898KB
MD5

c02798b26bdaf8e27c1c48ef5de4b2c3
SHA1

bc59ab8827e13d1a9a1892eb4da9cf2d7d62a615
SHA256

af41b9ac95c32686ba1ef373929b54f49088e5c4f295fe828b43b32b5160aa78
SHA512

b541aeedcc4db6f8e0db0788f2791339476a863c15efc72aef3db916fc7c8ab41d84c0546c05b675be4d7700c4f986dbae5e2858d60ecd44b4ffbcae2065cfc4
SSDEEP

24576:juDXTIGaPhEYzUzA0aouDXTIGaPhEYzUzA0br:KDjlabwz9MDjlabwz93

Score

10^/10

discovery

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.ll.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
tom1209

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontiernet.net
Port:
587
Username:
[email protected]
Password:
#40grandma

Extracted

Credentials

Protocol: smtp
Host:
smtp.ag.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
southpark

Extracted

Credentials

Protocol: smtp
Host:
smtp.af.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
0310ti

Extracted

Credentials

Protocol: smtp
Host:
smtp.nifty.com
Port:
587
Username:
[email protected]
Password:
mitsutec

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontiernet.net
Port:
587
Username:
[email protected]
Password:
necros

Extracted

Credentials

Protocol: smtp
Host:
ma.medias.ne.jp
Port:
587
Username:
[email protected]
Password:
422406

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
tahiti3738

Extracted

Credentials

Protocol: smtp
Host:
smtp.srpadvocacia.com
Port:
587
Username:
[email protected]
Password:
adv1082020

Extracted

Credentials

Protocol: smtp
Host:
smtp.foxvalley.net
Port:
587
Username:
[email protected]
Password:
Stude38

Extracted

Credentials

Protocol: smtp
Host:
smtp.ax.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
bornin58

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
zoarvalley08

Extracted

Credentials

Protocol: smtp
Host:
smtp.ax.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
0310ti

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
drake97

Extracted

Credentials

Protocol: smtp
Host:
smtp.rmilani.com.br
Port:
587
Username:
[email protected]
Password:
milani

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
Lucylu12@

Extracted

Credentials

Protocol: smtp
Host:
mail.wxmail.xyz
Port:
587
Username:
[email protected]
Password:
Iiy4t3NJSb1.0

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
gravel1@

Extracted

Credentials

Protocol: smtp
Host:
smtp.ab.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
yuto0920

Extracted

Credentials

Protocol: smtp
Host:
smtp.pp.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
vj3ehsjp

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
Blood_line123@

Extracted

Credentials

Protocol: smtp
Host:
mail.eastcom.ne.jp
Port:
587
Username:
[email protected]
Password:
shirokun

Extracted

Credentials

Protocol: smtp
Host:
smtp.foxvalley.net
Port:
587
Username:
[email protected]
Password:
Gaj12783

Extracted

Credentials

Protocol: smtp
Host:
smtp.pp.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
igirisu0617

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
marissa1@

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
1499blitz@

Extracted

Credentials

Protocol: smtp
Host:
mx2.flekssitoffice.com
Port:
587
Username:
[email protected]
Password:
vGs$9388

Extracted

Credentials

Protocol: smtp
Host:
mail.99main.com
Port:
587
Username:
[email protected]
Password:
ling97

Extracted

Credentials

Protocol: smtp
Host:
smtp.aa.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
kmn3tm73

Extracted

Credentials

Protocol: smtp
Host:
smtp.ct.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
1316jtxx

Extracted

Credentials

Protocol: smtp
Host:
ab.thn.ne.jp
Port:
587
Username:
[email protected]
Password:
0lsiqa7w

Extracted

Credentials

Protocol: smtp
Host:
smtp.ct.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
423853544

Extracted

Credentials

Protocol: smtp
Host:
smtp.citlink.net
Port:
587
Username:
[email protected]
Password:
Hmfogtliwt2@

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
Medion11@

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
236898@@

Extracted

Credentials

Protocol: smtp
Host:
smtp.az.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
hh5126

Extracted

Credentials

Protocol: smtp
Host:
techpilelko.in
Port:
587
Username:
[email protected]
Password:
mashish@760

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
kudo1856

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

af41b9ac95c32686ba1ef373929b54f49088e5c4f295fe828b43b32b5160aa78.execlamer.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	af41b9ac95c32686ba1ef373929b54f49088e5c4f295fe828b43b32b5160aa78.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	clamer.exe

Executes dropped EXE 3 IoCs

Processes:

clamer.exelofsawd.exeuuvamn.exe

pid	Process
4192	clamer.exe
228	lofsawd.exe
1216	uuvamn.exe

Drops file in Windows directory 1 IoCs

Processes:

lofsawd.exe

description	ioc	Process
File created	C:\Windows\Tasks\Test Task17.job	lofsawd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

lofsawd.exeuuvamn.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lofsawd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uuvamn.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

af41b9ac95c32686ba1ef373929b54f49088e5c4f295fe828b43b32b5160aa78.execmd.execlamer.exe

description	pid	Process	procid_target
PID 2364 wrote to memory of 3880	2364	af41b9ac95c32686ba1ef373929b54f49088e5c4f295fe828b43b32b5160aa78.exe	84
PID 2364 wrote to memory of 3880	2364	af41b9ac95c32686ba1ef373929b54f49088e5c4f295fe828b43b32b5160aa78.exe	84
PID 3880 wrote to memory of 4192	3880	cmd.exe	87
PID 3880 wrote to memory of 4192	3880	cmd.exe	87
PID 4192 wrote to memory of 228	4192	clamer.exe	89
PID 4192 wrote to memory of 228	4192	clamer.exe	89
PID 4192 wrote to memory of 228	4192	clamer.exe	89

C:\Users\Admin\AppData\Local\Temp\af41b9ac95c32686ba1ef373929b54f49088e5c4f295fe828b43b32b5160aa78.exe
"C:\Users\Admin\AppData\Local\Temp\af41b9ac95c32686ba1ef373929b54f49088e5c4f295fe828b43b32b5160aa78.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe
    clamer.exe -priverdD
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4192
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\lofsawd.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\lofsawd.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:228

C:\ProgramData\lfedd\uuvamn.exe
C:\ProgramData\lfedd\uuvamn.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
37B

MD5
28151380c82f5de81c1323171201e013

SHA1
ae515d813ba2b17c8c5ebdae196663dc81c26d3c

SHA256
bb8582ce28db923f243c8d7a3f2eccb0ed25930f5b5c94133af8eefb57a8231d

SHA512
46b29cba0dc813de0c58d2d83dc298fa677921fd1f19f41e2ed3c7909c497fab2236d10a9ae59b3f38e49cf167964ede45e15543673a1e0843266242b8e26253

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe

Filesize
453KB

MD5
a9f386515c3896a0a106940be362de47

SHA1
d1a9cf3c16555db4b2395d388995c2b13d2d683b

SHA256
12532d6bf0cdb5ea1cc0844e9ef73530456a337d5b73bb8d23e110fac46c3446

SHA512
7a2a4a6c7f9c426ff57066786892f4bbd7830f8c91985f1243abfd9148878345e83813eb09434b68b6616b76860d4163c1c7e32d4eb552953019fc8cb4c0a448

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\lofsawd.exe

Filesize
16KB

MD5
e7d405eec8052898f4d2b0440a6b72c9

SHA1
58cf7bfcec81faf744682f9479b905feed8e6e68

SHA256
b63a0e5f93b26ad0eeb9efba66691f3b7e7f51e93a2f0098bde43833f7a24cc2

SHA512
324507084bd56f7102459efe7b3c2d2560f4e89ed03ec4a38539ebb71bccdf1def7bc961c259f9b02f4b2be0d5e095136c9efcd5fc3108af3dc61d24970d6121

Download Submit
C:\Windows\Tasks\Test Task17.job

Filesize
236B

MD5
ecf077405675768ee3ae087880f75334

SHA1
cf9edc00d07abc64547bec281b21ceb3f788f80a

SHA256
a980e90a3c59f3abb65a8d9c9669e6d970acafdbf70eb26f99517463c25f4861

SHA512
c1ed96c5c8cd32783650860bd9b596c3ba9ec5e17a8ece3cfb14fced093cd1a47b5ffa4298d492d1578912ef17ea2541376c80b1b8cf393cc309fe063861fadf

Download Submit