Overview

overview

7

Static

static

3

7ba80d70c9...0N.exe

windows7-x64

7

7ba80d70c9...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    27-07-2024 01:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ba80d70c9665abbe2947c9e3f19a370N.exe

  • Size

    183KB

  • MD5

    7ba80d70c9665abbe2947c9e3f19a370

  • SHA1

    0ffe3cca64bc09173f71ee9b1b4d48041b8a0aac

  • SHA256

    995f9981db52cde1e7fda5eb128eb5c3f4a5083f2f1a4d844e9b73165a7e3c9c

  • SHA512

    06c009746ab3c0b6704a6e07700f67b1f0b0f798bcd325c65a21c0f0236102dd23834671dc94152276d8c3b6db4b07e8491f5176049de35b9697ca775f31c32a

  • SSDEEP

    3072:ZYDDQYmVX9y/vHw4/QljoV43DgvP5pSBlf+ATxbUX9ff1TmrcSQLPuYxS:ZYDUVX9KvwpkgBBlfhbUd0LePN

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ba80d70c9665abbe2947c9e3f19a370N.exe
    "C:\Users\Admin\AppData\Local\Temp\7ba80d70c9665abbe2947c9e3f19a370N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:556
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\hjxetd.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:316
  • C:\Users\Admin\Modules\Bin\msmsn.exe
    C:\Users\Admin\Modules\Bin\msmsn.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hjxetd.bat
    Filesize

    186B

    MD5

    6df7e10b888969d59677cc545583cc67

    SHA1

    3c083b4a14b343dd98bf2cea0d6ca98dde8f9801

    SHA256

    2e257a92bda2c8f75f0d430d545dff21244d473246ad70e1a6a17484e8664c13

    SHA512

    502ff5c1b1b8683353e7eabc54e7d45cae74f80ae53769ae0ddfeb0c88e5ad62e8dfc9c45a7c37c2d72d0db9d025ca8a990380f16084ed10103f70ebafec3d97

    Download Submit

  • C:\Users\Admin\Modules\Bin\msmsn.exe
    Filesize

    183KB

    MD5

    0c0cbd189d6a7deae173ecc134b1019b

    SHA1

    b9bfc19e5b98d53fdb23808135af0c992f7f7334

    SHA256

    5dd49ddc6c6170a6163b2d0e4eea81fec8b902af8d425e044abe5880e66cbeff

    SHA512

    caea6fa19d6c0378ba6f42e28f7ac0a5a6b53824839960cd7c44af1c55b041f4d05692b84157cab97ac0ca0966d0bd98d0bbd8d88cf3b16b516cc72ce424cb85

    Download Submit

  • memory/556-0-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download

  • memory/556-10-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download

  • memory/556-19-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download

  • memory/2632-18-0x0000000000280000-0x000000000029B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2632-20-0x0000000000280000-0x000000000029B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2632-29-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download