91e7716800b4bd6a5f56583a82ad4efbc67f5c6e3f3e973d48d572db1bfe0ff8

Analysis

max time kernel
102s
max time network
112s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 06:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9372ebe705430badd1b025d0c8aef410N.exe
Size

2.3MB
MD5

9372ebe705430badd1b025d0c8aef410
SHA1

521dcaa0306d63452237113bb9ad4af46a32e97c
SHA256

91e7716800b4bd6a5f56583a82ad4efbc67f5c6e3f3e973d48d572db1bfe0ff8
SHA512

b40f7a00a0574854871315df562042a25f12a28588e068edb70958038d7d8c5668ba790b9197457cb8f11798b688a611c760bcb13a97da10e9b26b2f214ea3a2
SSDEEP

49152:YHXETr6nxySkBxhBGLO9GnH0DOEsvLd8vJCCI3aJEmxmHNZobo:YHXETrtSyLGLOQ0DOEsGBCPaJvxmH6

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2404	9372be705430badd1b025d0c8aef410N.exe

Loads dropped DLL 2 IoCs

pid	Process
712	9372ebe705430badd1b025d0c8aef410N.exe
2404	9372be705430badd1b025d0c8aef410N.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\tCUTnEPd\9372be705430badd1b025d0c8aef410N.exe	9372ebe705430badd1b025d0c8aef410N.exe
File created	C:\Windows\SysWOW64\tCUTnEPd\9372be705430badd1b025d0c8aef410N.exe	9372ebe705430badd1b025d0c8aef410N.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\AnixyN\tSaJSKjd.dll	9372be705430badd1b025d0c8aef410N.exe
File created	C:\Windows\brUpgW.dll	9372ebe705430badd1b025d0c8aef410N.exe
File created	C:\Windows\LbXUeYu.dll	9372be705430badd1b025d0c8aef410N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9372be705430badd1b025d0c8aef410N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9372ebe705430badd1b025d0c8aef410N.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
712	9372ebe705430badd1b025d0c8aef410N.exe
2404	9372be705430badd1b025d0c8aef410N.exe
2404	9372be705430badd1b025d0c8aef410N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 712 wrote to memory of 2404	712	9372ebe705430badd1b025d0c8aef410N.exe	30
PID 712 wrote to memory of 2404	712	9372ebe705430badd1b025d0c8aef410N.exe	30
PID 712 wrote to memory of 2404	712	9372ebe705430badd1b025d0c8aef410N.exe	30
PID 712 wrote to memory of 2404	712	9372ebe705430badd1b025d0c8aef410N.exe	30

C:\Users\Admin\AppData\Local\Temp\9372ebe705430badd1b025d0c8aef410N.exe
"C:\Users\Admin\AppData\Local\Temp\9372ebe705430badd1b025d0c8aef410N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:712
- C:\Windows\SysWOW64\tCUTnEPd\9372be705430badd1b025d0c8aef410N.exe
  "C:\Windows\SysWOW64\tCUTnEPd\9372be705430badd1b025d0c8aef410N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\YRYNsB\FAHQiDeJ.dll

Filesize
10KB

MD5
9beea848c33b55f1a62555966619c5e0

SHA1
791a2d77ba5d6740914aab012501634a650b69b1

SHA256
9620517d33fdfd525c8722a7d3f00ba1e2f8d6e9b3df4af2f3e1930186fd0740

SHA512
124c7a2f838dd6aac815b3b4b0c569c6a3ea9bbf27a3573ecba249049fa68d858fa793c2992a1e4c56bb5ea08edfbc883ad36b199f200309de977af06c273d73

Download Submit
\Windows\SysWOW64\tCUTnEPd\9372be705430badd1b025d0c8aef410N.exe

Filesize
2.3MB

MD5
ff8822b417dfb6ba031887d556ca3efd

SHA1
1fccccd9e96af139b00452674184372d3bc3d41d

SHA256
1993d72dfa670456e2ae6f67a165a341f31d27293fcb418d5bc8ff3157d07128

SHA512
fe8d300cea46c1946f29a07c703ddb9f82dd7b935846913bdfabd766a0925b711e7e857c5fbf28f3a0d7a579f4767ea2c2bdbb4c6919c1f62008c4c4341d6986

Download Submit
memory/712-0-0x0000000000400000-0x00000000007CF000-memory.dmp

Filesize
3.8MB

Download
memory/712-1-0x0000000077FE0000-0x0000000077FE1000-memory.dmp

Filesize
4KB

Download
memory/712-3-0x0000000077FE0000-0x0000000077FE1000-memory.dmp

Filesize
4KB

Download
memory/712-7-0x0000000075930000-0x0000000075931000-memory.dmp

Filesize
4KB

Download
memory/712-9-0x0000000000400000-0x00000000007CF000-memory.dmp

Filesize
3.8MB

Download
memory/712-31-0x0000000000400000-0x00000000007CF000-memory.dmp

Filesize
3.8MB

Download
memory/2404-18-0x0000000000400000-0x00000000007CF000-memory.dmp

Filesize
3.8MB

Download
memory/2404-27-0x0000000000400000-0x00000000007CF000-memory.dmp

Filesize
3.8MB

Download
memory/2404-32-0x0000000000400000-0x00000000007CF000-memory.dmp

Filesize
3.8MB

Download