Analysis
-
max time kernel
13s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
27-07-2024 01:56
General
-
Target
7d99ce944ba1a2460b9d3facdc5c73d0N.exe
-
Size
208KB
-
MD5
7d99ce944ba1a2460b9d3facdc5c73d0
-
SHA1
c1a7ff98174eb2dd590c24dca87fb727dc093340
-
SHA256
16b5155bed4e5a1302c631273456704e3f710a49f539879c0a2e96863342e467
-
SHA512
af68da5315f641f8b27b2d50ab597d353eb7ff58afcfa63e3d42a4e0077b0f1d2d735d725ee05c962e00eeee08f5e922f871bb88b83847e48b6724d44303b7a6
-
SSDEEP
3072:plQsSiYrcDuWsb2CdBsmQC5HPIA2WfvC2iC4NLthEjQT6:plfSi0cSWsb2AB55PIBgvCAQEj
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in System32 directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d99ce944ba1a2460b9d3facdc5c73d0N.exe"C:\Users\Admin\AppData\Local\Temp\7d99ce944ba1a2460b9d3facdc5c73d0N.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\windows\system32\DMF.exe.bat" "2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\windows\SysWOW64\DMF.exeC:\windows\system32\DMF.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\DMF.exe.batFilesize
70B
MD54a59eee686a7a6b88955bd6af9d7ef27
SHA1151263d4583a7941c74e5c069f3995a6abcf6d9d
SHA25698bbb3d12f460ab9d534a7f2f899f7d76b6782e7d1bedccfcbdc28790268451b
SHA512611db779971763d25bb935efc65c8b9b220600e6fbc595541331615d92c7b47d5bb12f983dc9fd0b81d5d2fb916b43532c17a50ef1f5045aa8db4d1be255faeb
-
\Windows\SysWOW64\DMF.exeFilesize
208KB
MD5b677f2d48821077350d7080283905b6e
SHA17105a113dae7d9ae5e1fcc1046ea302df8344d97
SHA256a7a4910956cda03e2b2843eaf857371c80210c0dbfc40ded6e393405fb195d47
SHA51231f4074dd13586054c2f206bad67fc9caf6022f01da8507f048649b2ef4a26a1c4061daf32ebd51b58ff1ad2168d93012ba8f41e5811f09f9b36e788cd06673a
-
memory/2188-19-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2488-0-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2488-12-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2568-15-0x0000000000300000-0x0000000000338000-memory.dmpFilesize
224KB