Overview

overview

7

Static

static

3

a6547fe094...0N.exe

windows7-x64

7

a6547fe094...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    27/07/2024, 07:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a6547fe0941d73201e927e83b9e60e00N.exe

  • Size

    234KB

  • MD5

    a6547fe0941d73201e927e83b9e60e00

  • SHA1

    8165036c4f6e825f62f9ccd48cc28bd5849d4321

  • SHA256

    cd77f16b0c2c80fdb33d06baba9d0405c4b7f859aa73b835a389e3405b07461a

  • SHA512

    d2c5e59fdd1a7dc748a2df7a34b56df4e936a3d5998a655a2cc4ebeec2a04a07d68a4a7f3ddce2fbc54f7d396dd0798dabd2dce91f230569f82ba2dbc27a0ce5

  • SSDEEP

    6144:tnikkEXnlfxdHq0jO6GgFN5px9BxDko0Tn707F0lvrxk6:t2EXnlZdHquO/dT705erxV

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1228
    • C:\Users\Admin\AppData\Local\Temp\a6547fe0941d73201e927e83b9e60e00N.exe
      "C:\Users\Admin\AppData\Local\Temp\a6547fe0941d73201e927e83b9e60e00N.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Users\Admin\AppData\Roaming\Disp_ssp\convsort.exe
        "C:\Users\Admin\AppData\Roaming\Disp_ssp"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3032
        • C:\Users\Admin\AppData\Local\Temp\~5C05.tmp
          1228 239624 3032 1
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2792
  • C:\Windows\SysWOW64\cmdlutou.exe
    C:\Windows\SysWOW64\cmdlutou.exe -s
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:2620

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Disp_ssp\convsort.exe
          Filesize

          234KB

          MD5

          dfe2b957ad58e660b61f8ea07b75ded5

          SHA1

          870c5512454977f0945581da979bd9765037d57b

          SHA256

          a14e6cd808f63d8bebfebb5ccf102d17eae9b8b6fc7bf24b099d2dfb157ea6a2

          SHA512

          fd6449faee79b1d367b240dc047a69ec679ea56234523d97c0a176ce50227aa486fd9cf4326ea48fa5e43778ad95ffae4ca0d53141a5f4719e0f977616927b81

          Download Submit

        • \Users\Admin\AppData\Local\Temp\~5C05.tmp
          Filesize

          8KB

          MD5

          86dc243576cf5c7445451af37631eea9

          SHA1

          99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

          SHA256

          25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

          SHA512

          c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

          Download Submit

        • memory/1228-21-0x0000000002A70000-0x0000000002ABA000-memory.dmp

          Filesize

          296KB

          Download

        • memory/1228-28-0x00000000025E0000-0x00000000025ED000-memory.dmp

          Filesize

          52KB

          Download

        • memory/1228-25-0x0000000002A70000-0x0000000002ABA000-memory.dmp

          Filesize

          296KB

          Download

        • memory/1228-27-0x00000000025D0000-0x00000000025D6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1228-22-0x0000000002A70000-0x0000000002ABA000-memory.dmp

          Filesize

          296KB

          Download

        • memory/2620-33-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/2620-34-0x00000000003A0000-0x00000000003E3000-memory.dmp

          Filesize

          268KB

          Download

        • memory/3016-0-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/3016-12-0x00000000004F0000-0x000000000052F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/3016-1-0x00000000001B0000-0x00000000001F3000-memory.dmp

          Filesize

          268KB

          Download

        • memory/3016-14-0x00000000004F0000-0x000000000052F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/3016-35-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/3032-18-0x0000000000220000-0x0000000000263000-memory.dmp

          Filesize

          268KB

          Download

        • memory/3032-19-0x0000000000320000-0x0000000000325000-memory.dmp

          Filesize

          20KB

          Download

        • memory/3032-17-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download