Overview

overview

8

Static

static

3

791fb05217...0N.exe

windows7-x64

8

791fb05217...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    112s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/07/2024, 01:19

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    791fb05217c6ebe818ec4a5d3d00f2c0N.exe

  • Size

    110KB

  • MD5

    791fb05217c6ebe818ec4a5d3d00f2c0

  • SHA1

    3bc0f72e641b0e3c78e44eaa4530231ff10c0629

  • SHA256

    4bb19996a12b0016f828ddff1f65d1024ba4d1316151e7ae0da0453484dc8d1e

  • SHA512

    9582184be789fbd12d24dbc0212261d9e419cf1fcdf9f4ba3baf615ae80678d4fb76e9ad24a354d10358930b0906fb616d90af2abb2015ec9fabdbf3ba9229ac

  • SSDEEP

    3072:O+fD+u6ERascLnzx3u6xCnO3Zh5l6yw7RsH5eZV:O+/6IaVVs2z6PZV

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 7 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\791fb05217c6ebe818ec4a5d3d00f2c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\791fb05217c6ebe818ec4a5d3d00f2c0N.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3536
    • C:\Windows\SysWOW64\inf\svchosts.exe
      "C:\Windows\system32\inf\svchosts.exe" C:\Windows\system32\lwisys16_080121.dll start
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4076
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c c:\mycj.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:884
        • C:\Windows\system\sslxpes080121.exe
          "C:\Windows\system\sslxpes080121.exe" i
          4⤵
          • Adds policy Run key to start application
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3360
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1688
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1688 CREDAT:17410 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1508
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c c:\myDelm.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4064

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          3657335e6a16bf2e31605028126baadb

          SHA1

          e5d5a1fb18511ebcb49494570a94b92527540114

          SHA256

          433b51bbdd8a72ef859d9e4bc11030dd61b20e78db25fda3780d5ae8fe706548

          SHA512

          29b6d77cb3850711312b6578dc8f647018c1e7ea7ff1a375f55563dd69395d03a960d11e6a83d77c0a93695440fb1c3522cfbd4c957e6e06c82c9e8650785848

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          5763609b88d03521916fa27dd2f2698f

          SHA1

          8eb5a57ca13bb95ee591a6b9b49ced4277de3264

          SHA256

          12e28eb39e8317534b566887f599402be7aa8f8f3503bf9698687a2c804b2d07

          SHA512

          749d4c00c02114501b8321a6072b0ded47e843c431efed3d3be5446c5ff958a05ceff84dd683eed4da744cd4e84611bda2139e5ba518713895c7861df4488cc3

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MQYRE6E5\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Windows\SysWOW64\inf\svchosts.exe
          Filesize

          60KB

          MD5

          889b99c52a60dd49227c5e485a016679

          SHA1

          8fa889e456aa646a4d0a4349977430ce5fa5e2d7

          SHA256

          6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

          SHA512

          08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

          Download Submit

        • C:\Windows\SysWOW64\lwisys16_080121.dll
          Filesize

          25KB

          MD5

          00f62db2ce4b91fc565446ecf58b236c

          SHA1

          d6e6aee7783d3bba5b0ea3f81841abf0822ebb05

          SHA256

          b4d08175dfa8174851a2cf8591e97b560ffdf2bb24838c094a83f9cb3a65485e

          SHA512

          027e93b35e14a1268b6241e0983a81f6d40fbe995a4f6d1ebd9de8784e2836c59079284e31a082413ac7bef5c39af11ca362458a12ee95eedd7a04208d03bb8c

          Download Submit

        • C:\Windows\SysWOW64\mwisys32_080121.dll
          Filesize

          206KB

          MD5

          d5223fdc59a5d7004918d63f8923bea6

          SHA1

          c6e053ddece96d709309ee2a92b20acc15d6236b

          SHA256

          ac87a428549ee496de6468c6fd214232159c2b09d0826c6ea25cd34809c1e0bb

          SHA512

          90a1effe8d6862bbfd498d8721c4fa2b6d7397702c660a5f59120fe868a2568bc784185c8685cb125ed9439db3622d757d8e190abbd419c5b6f9bdf79477f939

          Download Submit

        • C:\Windows\pwisys.ini
          Filesize

          46B

          MD5

          710c1614044cb14951cd5feb9a639b97

          SHA1

          91e581a0d71f2430dd276d6fe3425ddee4923602

          SHA256

          375e3a1f248dddf86c1200b32f33fd6e7f20a28244f141bad3fb0a629f94a4bd

          SHA512

          be6af8e6995ed43e01643ad7bae40d6d559ba5338a885ca62566f614275ce2922678fd8059d5e52b9db59159d6adee0d16cbddcae3d90ad7f39e82232a11f66f

          Download Submit

        • C:\Windows\pwisys.ini
          Filesize

          93B

          MD5

          3244cd00d63c963848bbbfad8186a427

          SHA1

          47d8ae01425f57861fce6d5aa7830192a079e48d

          SHA256

          1749dca26f309a78eac8586ebfff3371ea32b7d6cbf11fb03087bb9073f5a2c6

          SHA512

          4ae4a49467a5154472b64af0204d2158babe4d9c288d42c3bc825cbaebc0fad762640499ee107e66b4499d2cfc76fc7cf374a50992f927458bb69998a4ab62fe

          Download Submit

        • C:\Windows\pwisys.ini
          Filesize

          355B

          MD5

          828a19147f8ada1b9374a7269ae7665b

          SHA1

          2942d6624047fca672577c334c654e903cb003b5

          SHA256

          4d4b49e3ed9d8e79be091eae7797c5e4c6ebc771d9f4c13b9658c2361929c8fe

          SHA512

          d3f423147e6c5188088e0c0f2ff01345eecd0078653c5eb568d91dc96128907bff0f69409b71e809e56d2e928d48ec9d61a7066bdcbcbb06ac80dd8a40af81aa

          Download Submit

        • C:\Windows\pwisys.ini
          Filesize

          361B

          MD5

          d9a6dc55420295d7474d896002dd1f3e

          SHA1

          77d4fe37e7c5b255e3883e3f077ff19d6c36def5

          SHA256

          ffb769cb48a2c0b54c684a70184aae11b6116bffb9fe763b8ca5002c7a959a69

          SHA512

          67091c367a6da0817887e358c361401f10c2f42d7c4de94676c5d0f4ad79c1b7adda89eeb571ddaa93de81bf868bced1107fec9b12046c15aab51afc98930777

          Download Submit

        • C:\Windows\pwisys.ini
          Filesize

          404B

          MD5

          bb4305422fa86e49a1a66179e3b4008a

          SHA1

          73e01d58e18440e9f6a980b4381a9534b5a7b0c8

          SHA256

          0c3ef515d433b870b4721bb754a5de39334c761d260bd807100aa8a91736d1f0

          SHA512

          c7fc85f531b24b8b4cc99918059f0584ed23d613f4d9c1383cb5fd2de25a4f0ffde7f587a832fdc60004898d6957df41cac44bffb28dff3c57a1c9cdcf839eda

          Download Submit

        • C:\Windows\pwisys.ini
          Filesize

          441B

          MD5

          4a63fb26f859366062129718f41a56a9

          SHA1

          674f98b2e5190079ee2dc31dde9005abd642c5a0

          SHA256

          1c77b5e06c83566d6a2d676272781b52d586ea332496fae5b1003e926a8ed7f7

          SHA512

          170f4074a781727b68d39ea83df35f10bef7a9c6f9b72259bda0b667f4deedaa077bebe05695c72bc532cb04d714ecf82d3eb8d59ed4cf08fba49ef5d965a99c

          Download Submit

        • C:\Windows\system\sslxpes080121.exe
          Filesize

          110KB

          MD5

          791fb05217c6ebe818ec4a5d3d00f2c0

          SHA1

          3bc0f72e641b0e3c78e44eaa4530231ff10c0629

          SHA256

          4bb19996a12b0016f828ddff1f65d1024ba4d1316151e7ae0da0453484dc8d1e

          SHA512

          9582184be789fbd12d24dbc0212261d9e419cf1fcdf9f4ba3baf615ae80678d4fb76e9ad24a354d10358930b0906fb616d90af2abb2015ec9fabdbf3ba9229ac

          Download Submit

        • \??\c:\myDelm.bat
          Filesize

          207B

          MD5

          20c82bc9fe540705a805a1a1e61a6467

          SHA1

          65ac392b04fed8fe7c4cd5b45b2a245c55861bd4

          SHA256

          e7b22d5e2fb222d7da093296d4935d5e4efc2f5d76dac40fcd00993ea55f5298

          SHA512

          7717b9cb874325ecd9ccfaa1a6abb791d43463655e1f5b4f694d1910ca09b4c2b825c0aedef46ac73b7dd3d65eaca9f0f6b0b19de372c2935963110dc8ad1d1d

          Download Submit

        • \??\c:\mycj.bat
          Filesize

          49B

          MD5

          5acd8b91c0b7b4cabce7cc4ba5619c61

          SHA1

          71e6fcc408f8289c1faec48a06d91d96f62ab90d

          SHA256

          677ab0d1835a4180460b87c1b8df45ec0eb9b9956d4c3b9863179972da100d83

          SHA512

          d68dd8e1e3b2aca80944183c23b0c8660abc68865c0933e54a0eec92b20acccb197eb06b06a117778177eaeca5130c5a83a90295c9eb8fbc8ab6ad8b95aed2e2

          Download Submit

        • memory/4076-61-0x0000000000400000-0x000000000040C000-memory.dmp

          Filesize

          48KB

          Download