390d7f26d6eb9d933945df3d6f684f49388e13e2de4f936d81d1388194c15887

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/quicklink_desknote.exe
Size

41KB
MD5

461904ebd140d4bad858329f729bbfaf
SHA1

eb6234b7150900bd75e42f9de68bdd84239119fd
SHA256

c500be494ba46717484997633dbd0f400f3e86bbea13f277810e8f7d8f0a31e3
SHA512

3f3d63189476eceef30461760acacbeab3c66de00b5afbc41b1a0877c35796715dbe838aad802ed6e8c7497c42e8d4e40d9274d6391bffd0c43d848f5dd1e8d6
SSDEEP

768:EHJd0TpH2+bQ2dUWVX9Hfv1JMWmtLEJOyuBxG0D3mjfS3XJ4njNctAllGws0q6:EpgpHzb9dZVX9fHMvG0D3XJYNcOmyq6

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2808	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
2160	quicklink_desknote.exe
2160	quicklink_desknote.exe
2160	quicklink_desknote.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quicklink_desknote.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2808	2160	quicklink_desknote.exe	30
PID 2160 wrote to memory of 2808	2160	quicklink_desknote.exe	30
PID 2160 wrote to memory of 2808	2160	quicklink_desknote.exe	30
PID 2160 wrote to memory of 2808	2160	quicklink_desknote.exe	30
PID 2160 wrote to memory of 2808	2160	quicklink_desknote.exe	30
PID 2160 wrote to memory of 2808	2160	quicklink_desknote.exe	30
PID 2160 wrote to memory of 2808	2160	quicklink_desknote.exe	30

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\quicklink_desknote.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\quicklink_desknote.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c \DelUS.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat

Filesize
196B

MD5
d0e78ebcf67db9a0099b866bdf655488

SHA1
7cbf6733e92d99b611273d3b8a576f661627f7f3

SHA256
860f2157bb2d0d85050d0b9b4de49317ebdb864bede72189fafe9e6f28ec6483

SHA512
a17ee67903e88b2e6cea3d8b887662bcc06062bf58775e1970ce3ef8995b065fc6bd2371bf80b39e197641099b6a01b5f8d864875b28fcdebc35f408bd236a35

Download Submit
\Users\Admin\AppData\Local\Temp\nso4413.tmp\DLLWebCount.dll

Filesize
28KB

MD5
0bdd7c6f1046ea4b42839f991ae53fb2

SHA1
cb9baefb10159b4a684fa1ee4372e7715865052d

SHA256
0a0019b2603dbc4505453c2501255ab0cc0b3c317ece4a6ce0cfb6a02a30907b

SHA512
96f41497f25d7bc81f51ab167f74243b4b767089c89c26f9752ef518fa60dedd2722c66ae87dad2334bcce1622bc12f7b9b892ae654ca58cecd9f35c9f1dc163

Download Submit
\Users\Admin\AppData\Local\Temp\nso4413.tmp\FILEDownPlug.dll

Filesize
20KB

MD5
2dc96e6ef39e0472a2e21f3e71157cea

SHA1
660377e9d5c7189a9b8320925bc0c4620f7d7cc7

SHA256
92e1e72c1fd1f941172dc37ac8a29732e326d5482602c981d1b69bc31b0907ba

SHA512
b321d349c65e4eef7475ed4275f7e5fcaf1748e9da184da6eef3bc4c4d48a4e307f5e88c80739c669d2cec2c3cd3f933db78aa471f8190de9d0728b1d9dc2273

Download Submit
\Users\Admin\AppData\Local\Temp\nso4413.tmp\SelfDelete.dll

Filesize
24KB

MD5
7bf1bd7661385621c7908e36958f582e

SHA1
43242d7731c097e95fb96753c8262609ff929410

SHA256
c0ad2c13d48c9fe62f898da822a5f08be3bf6c4e2c1c7ffdf7634f2ca4a8859e

SHA512
8317af5cc3ac802eb095f3fa8cc71daa1265ca58fead031c07872f3d4bb07663a7002ae734fad392a7617f0923fe0caf1f54ed55afdf8516a6a08e202d86fa7f

Download Submit