Analysis
-
max time kernel
13s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
27-07-2024 01:56
Static task
static1
Behavioral task
behavioral1
Sample
7d99ce944ba1a2460b9d3facdc5c73d0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
7d99ce944ba1a2460b9d3facdc5c73d0N.exe
Resource
win10v2004-20240709-en
General
-
Target
7d99ce944ba1a2460b9d3facdc5c73d0N.exe
-
Size
208KB
-
MD5
7d99ce944ba1a2460b9d3facdc5c73d0
-
SHA1
c1a7ff98174eb2dd590c24dca87fb727dc093340
-
SHA256
16b5155bed4e5a1302c631273456704e3f710a49f539879c0a2e96863342e467
-
SHA512
af68da5315f641f8b27b2d50ab597d353eb7ff58afcfa63e3d42a4e0077b0f1d2d735d725ee05c962e00eeee08f5e922f871bb88b83847e48b6724d44303b7a6
-
SSDEEP
3072:plQsSiYrcDuWsb2CdBsmQC5HPIA2WfvC2iC4NLthEjQT6:plfSi0cSWsb2AB55PIBgvCAQEj
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
DMF.exepid process 2188 DMF.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2568 cmd.exe 2568 cmd.exe -
Drops file in System32 directory 3 IoCs
Processes:
7d99ce944ba1a2460b9d3facdc5c73d0N.exedescription ioc process File created C:\windows\SysWOW64\DMF.exe 7d99ce944ba1a2460b9d3facdc5c73d0N.exe File opened for modification C:\windows\SysWOW64\DMF.exe 7d99ce944ba1a2460b9d3facdc5c73d0N.exe File created C:\windows\SysWOW64\DMF.exe.bat 7d99ce944ba1a2460b9d3facdc5c73d0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7d99ce944ba1a2460b9d3facdc5c73d0N.execmd.exeDMF.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d99ce944ba1a2460b9d3facdc5c73d0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DMF.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
7d99ce944ba1a2460b9d3facdc5c73d0N.exeDMF.exepid process 2488 7d99ce944ba1a2460b9d3facdc5c73d0N.exe 2188 DMF.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
7d99ce944ba1a2460b9d3facdc5c73d0N.exeDMF.exepid process 2488 7d99ce944ba1a2460b9d3facdc5c73d0N.exe 2488 7d99ce944ba1a2460b9d3facdc5c73d0N.exe 2188 DMF.exe 2188 DMF.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
7d99ce944ba1a2460b9d3facdc5c73d0N.execmd.exedescription pid process target process PID 2488 wrote to memory of 2568 2488 7d99ce944ba1a2460b9d3facdc5c73d0N.exe cmd.exe PID 2488 wrote to memory of 2568 2488 7d99ce944ba1a2460b9d3facdc5c73d0N.exe cmd.exe PID 2488 wrote to memory of 2568 2488 7d99ce944ba1a2460b9d3facdc5c73d0N.exe cmd.exe PID 2488 wrote to memory of 2568 2488 7d99ce944ba1a2460b9d3facdc5c73d0N.exe cmd.exe PID 2568 wrote to memory of 2188 2568 cmd.exe DMF.exe PID 2568 wrote to memory of 2188 2568 cmd.exe DMF.exe PID 2568 wrote to memory of 2188 2568 cmd.exe DMF.exe PID 2568 wrote to memory of 2188 2568 cmd.exe DMF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d99ce944ba1a2460b9d3facdc5c73d0N.exe"C:\Users\Admin\AppData\Local\Temp\7d99ce944ba1a2460b9d3facdc5c73d0N.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\windows\system32\DMF.exe.bat" "2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\windows\SysWOW64\DMF.exeC:\windows\system32\DMF.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\DMF.exe.batFilesize
70B
MD54a59eee686a7a6b88955bd6af9d7ef27
SHA1151263d4583a7941c74e5c069f3995a6abcf6d9d
SHA25698bbb3d12f460ab9d534a7f2f899f7d76b6782e7d1bedccfcbdc28790268451b
SHA512611db779971763d25bb935efc65c8b9b220600e6fbc595541331615d92c7b47d5bb12f983dc9fd0b81d5d2fb916b43532c17a50ef1f5045aa8db4d1be255faeb
-
\Windows\SysWOW64\DMF.exeFilesize
208KB
MD5b677f2d48821077350d7080283905b6e
SHA17105a113dae7d9ae5e1fcc1046ea302df8344d97
SHA256a7a4910956cda03e2b2843eaf857371c80210c0dbfc40ded6e393405fb195d47
SHA51231f4074dd13586054c2f206bad67fc9caf6022f01da8507f048649b2ef4a26a1c4061daf32ebd51b58ff1ad2168d93012ba8f41e5811f09f9b36e788cd06673a
-
memory/2188-19-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2488-0-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2488-12-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2568-15-0x0000000000300000-0x0000000000338000-memory.dmpFilesize
224KB