Analysis
-
max time kernel
117s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
28-07-2024 01:46
Static task
static1
Behavioral task
behavioral1
Sample
57e7e983aa8ad025afda8f9517d17370.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
57e7e983aa8ad025afda8f9517d17370.exe
Resource
win10v2004-20240709-en
General
-
Target
57e7e983aa8ad025afda8f9517d17370.exe
-
Size
48KB
-
MD5
57e7e983aa8ad025afda8f9517d17370
-
SHA1
87fd6cb237ebab8c49aa7fb6475f8e05315b0005
-
SHA256
758bfe38ea859e9f3aed1e735abc1d75f3441ac2202036826bb4a2584affcaaf
-
SHA512
6d6d2db8e1202274126004fe588576fc08e820dcc5a1c5e210b7b02e630b692af99e758b985a1765a797a6ea7d5b673670a3b15bb8184f2bfecfbe04313ec401
-
SSDEEP
384:fpXhwnhBCTnvlHI68swU1Mf94tynhs36o7dEiXF13K1sD+8XtBhyG+dOFAw6+/HI:fpXhwnrCTnd8swmTWW3PksDnjNH07
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2072 gwkgt.exe -
Loads dropped DLL 1 IoCs
pid Process 2228 57e7e983aa8ad025afda8f9517d17370.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 57e7e983aa8ad025afda8f9517d17370.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gwkgt.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2072 2228 57e7e983aa8ad025afda8f9517d17370.exe 30 PID 2228 wrote to memory of 2072 2228 57e7e983aa8ad025afda8f9517d17370.exe 30 PID 2228 wrote to memory of 2072 2228 57e7e983aa8ad025afda8f9517d17370.exe 30 PID 2228 wrote to memory of 2072 2228 57e7e983aa8ad025afda8f9517d17370.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\57e7e983aa8ad025afda8f9517d17370.exe"C:\Users\Admin\AppData\Local\Temp\57e7e983aa8ad025afda8f9517d17370.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\gwkgt.exe"C:\Users\Admin\AppData\Local\Temp\gwkgt.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2072
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5ab67aecdbca2f19e56972cfc59669c0a
SHA1138ea40597f3a0a96558656160a4a23b0f77f013
SHA256850be2d7c40868f7ce7db512c8f4b01e5d9dc3b6242c1a8801a86b1bd432e33f
SHA512a9ce95a45a84e68b684ecd526eb634dad984bc4a69080dec421a39bafa4ff22948239f769d1a9f639057846e246f7179ac367ae1d384e41234c7ce9b5d555c32