73ef345268cb43f47baeb7ba75d7b08d8fd61aeef25dd65e908cf723ab4e43b7

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25-07-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a3e2eecb7f7f464c57a7159570d2d55c6893839be852af898089550265f5dfc.cmd
Size

3.1MB
MD5

a7ecf2d80475a31c10bfdddd8c060548
SHA1

f2b81ba9aa32b39fa41558f67d2627ab3da72f29
SHA256

6a3e2eecb7f7f464c57a7159570d2d55c6893839be852af898089550265f5dfc
SHA512

64b26683677f636eaf632f11d3f9d6d7502ab17a3b102fffc66c846b53d017f2dd09c5e42bbaa7e3d07a7a98f26909cccb41a746ba520a3a9b9dce43bf7a55a5
SSDEEP

24576:eIQFfxaplqwu8YYDEWRRm0Dxb3n7o3quNeHt2T6IPGKhCNwPmOyEC5p+gP3m0nlL:eIq5a/h5YYDEcRm0D53UYHQ6hcm5ECR

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
2668	alpha.exe
2764	alpha.exe
2944	kn.exe
2932	alpha.exe
2132	kn.exe
2844	CLEAN.COM
2592	alpha.exe
2896	alpha.exe

Loads dropped DLL 11 IoCs

pid	Process
2740	cmd.exe
2740	cmd.exe
2764	alpha.exe
2740	cmd.exe
2932	alpha.exe
2740	cmd.exe
2740	cmd.exe
1724	WerFault.exe
1724	WerFault.exe
1724	WerFault.exe
1724	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1724	2844	WerFault.exe	38

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CLEAN.COM

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2844	CLEAN.COM

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 1608	2740	cmd.exe	31
PID 2740 wrote to memory of 1608	2740	cmd.exe	31
PID 2740 wrote to memory of 1608	2740	cmd.exe	31
PID 2740 wrote to memory of 2668	2740	cmd.exe	32
PID 2740 wrote to memory of 2668	2740	cmd.exe	32
PID 2740 wrote to memory of 2668	2740	cmd.exe	32
PID 2668 wrote to memory of 1876	2668	alpha.exe	33
PID 2668 wrote to memory of 1876	2668	alpha.exe	33
PID 2668 wrote to memory of 1876	2668	alpha.exe	33
PID 2740 wrote to memory of 2764	2740	cmd.exe	34
PID 2740 wrote to memory of 2764	2740	cmd.exe	34
PID 2740 wrote to memory of 2764	2740	cmd.exe	34
PID 2764 wrote to memory of 2944	2764	alpha.exe	35
PID 2764 wrote to memory of 2944	2764	alpha.exe	35
PID 2764 wrote to memory of 2944	2764	alpha.exe	35
PID 2740 wrote to memory of 2932	2740	cmd.exe	36
PID 2740 wrote to memory of 2932	2740	cmd.exe	36
PID 2740 wrote to memory of 2932	2740	cmd.exe	36
PID 2932 wrote to memory of 2132	2932	alpha.exe	37
PID 2932 wrote to memory of 2132	2932	alpha.exe	37
PID 2932 wrote to memory of 2132	2932	alpha.exe	37
PID 2740 wrote to memory of 2844	2740	cmd.exe	38
PID 2740 wrote to memory of 2844	2740	cmd.exe	38
PID 2740 wrote to memory of 2844	2740	cmd.exe	38
PID 2740 wrote to memory of 2844	2740	cmd.exe	38
PID 2740 wrote to memory of 2592	2740	cmd.exe	39
PID 2740 wrote to memory of 2592	2740	cmd.exe	39
PID 2740 wrote to memory of 2592	2740	cmd.exe	39
PID 2740 wrote to memory of 2896	2740	cmd.exe	40
PID 2740 wrote to memory of 2896	2740	cmd.exe	40
PID 2740 wrote to memory of 2896	2740	cmd.exe	40
PID 2844 wrote to memory of 1724	2844	CLEAN.COM	41
PID 2844 wrote to memory of 1724	2844	CLEAN.COM	41
PID 2844 wrote to memory of 1724	2844	CLEAN.COM	41
PID 2844 wrote to memory of 1724	2844	CLEAN.COM	41

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\6a3e2eecb7f7f464c57a7159570d2d55c6893839be852af898089550265f5dfc.cmd"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\System32\extrac32.exe
  C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
  2⤵
  PID:1608
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
    3⤵
    PID:1876
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\6a3e2eecb7f7f464c57a7159570d2d55c6893839be852af898089550265f5dfc.cmd" "C:\\Users\\Public\\CLEAN.GIF" 9
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\6a3e2eecb7f7f464c57a7159570d2d55c6893839be852af898089550265f5dfc.cmd" "C:\\Users\\Public\\CLEAN.GIF" 9
    3⤵
    - Executes dropped EXE
    PID:2944
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 12
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 12
    3⤵
    - Executes dropped EXE
    PID:2132
- C:\Users\Public\Libraries\CLEAN.COM
  C:\Users\Public\Libraries\CLEAN.COM
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 704
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1724
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\CLEAN.GIF" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\CLEAN.GIF

Filesize
2.0MB

MD5
90dadde803ff62b49c7a6a1036c1345d

SHA1
38a66479a3a9e77e706c0d3d61c34d00abf827e6

SHA256
59d08989d1f700d980293cfb00ac9210faa20b927f1677b703a1202c845b6f6c

SHA512
8bf8efac27e3949a0188f1e2b21a1c605979f72430cc4d3b5d97ef5da3e34a2ea3953de57b1c8e6fc505d587b6cd501aa028b824bd1b7573530f80ece01896a5

Download Submit
C:\Users\Public\Libraries\CLEAN.COM

Filesize
1002KB

MD5
100c56dc1dda4a00ce29621b2e9be469

SHA1
ac6986c4529cf338e33a7e4034c4addecac18b1a

SHA256
1da560c9b053a8caf0b89f42196427c7075138b619879a8508736fd8451ecab8

SHA512
3a13c132ff90291716d8512f794b0cccff458d87039a150c10e6db5ba3954d1a9d78e8b8e1564d6876f3056492aaebfc5b11c37397a09f4a9198c03f6100d5ba

Download Submit
\Users\Public\alpha.exe

Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit
\Users\Public\kn.exe

Filesize
1.1MB

MD5
ec1fd3050dbc40ec7e87ab99c7ca0b03

SHA1
ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

SHA256
1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

SHA512
4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

Download Submit
memory/2844-33-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download