Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
28/07/2024, 20:46
Static task
static1
Behavioral task
behavioral1
Sample
de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe
Resource
win10v2004-20240709-en
General
-
Target
de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe
-
Size
7.1MB
-
MD5
945799bf0c3ea84b4fbe73c02ebe45d3
-
SHA1
4aaba52d3cb179d390d427576b02b9f8fca038ef
-
SHA256
de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b
-
SHA512
ec6ecfc7fa46ac82680b8b5bf67581f8f0578e202b22909af15efc2d1b94eec2c43a630413b94f7e1c47c3848d2512750b2abd417d48e24cf6442dfb1c17b4dd
-
SSDEEP
196608:cfU9Zc6BLCAuwqj4FGUY7R7dd5HTK32N5mh:sGhC3+FGUY1J3Pmh
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1664 de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe 2728 Mp3tag.exe 2732 Mp3tag.exe -
Loads dropped DLL 6 IoCs
pid Process 1288 de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe 1664 de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe 1664 de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe 2728 Mp3tag.exe 2728 Mp3tag.exe 2732 Mp3tag.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2732 set thread context of 2776 2732 Mp3tag.exe 33 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2728 Mp3tag.exe 2732 Mp3tag.exe 2732 Mp3tag.exe 2776 cmd.exe 2776 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2732 Mp3tag.exe 2776 cmd.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1288 wrote to memory of 1664 1288 de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe 28 PID 1288 wrote to memory of 1664 1288 de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe 28 PID 1288 wrote to memory of 1664 1288 de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe 28 PID 1288 wrote to memory of 1664 1288 de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe 28 PID 1288 wrote to memory of 1664 1288 de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe 28 PID 1288 wrote to memory of 1664 1288 de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe 28 PID 1288 wrote to memory of 1664 1288 de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe 28 PID 1664 wrote to memory of 2728 1664 de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe 31 PID 1664 wrote to memory of 2728 1664 de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe 31 PID 1664 wrote to memory of 2728 1664 de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe 31 PID 1664 wrote to memory of 2728 1664 de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe 31 PID 2728 wrote to memory of 2732 2728 Mp3tag.exe 32 PID 2728 wrote to memory of 2732 2728 Mp3tag.exe 32 PID 2728 wrote to memory of 2732 2728 Mp3tag.exe 32 PID 2732 wrote to memory of 2776 2732 Mp3tag.exe 33 PID 2732 wrote to memory of 2776 2732 Mp3tag.exe 33 PID 2732 wrote to memory of 2776 2732 Mp3tag.exe 33 PID 2732 wrote to memory of 2776 2732 Mp3tag.exe 33 PID 2732 wrote to memory of 2776 2732 Mp3tag.exe 33 PID 2776 wrote to memory of 2532 2776 cmd.exe 35 PID 2776 wrote to memory of 2532 2776 cmd.exe 35 PID 2776 wrote to memory of 2532 2776 cmd.exe 35 PID 2776 wrote to memory of 2532 2776 cmd.exe 35 PID 2776 wrote to memory of 2532 2776 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe"C:\Users\Admin\AppData\Local\Temp\de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\Temp\{EE9D0B1A-4496-4D7A-AAC2-7AE180625208}\.cr\de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe"C:\Windows\Temp\{EE9D0B1A-4496-4D7A-AAC2-7AE180625208}\.cr\de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe" -burn.filehandle.attached=180 -burn.filehandle.self=1882⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\Temp\{8BE7ABCE-405D-42CE-812A-493B1F56F761}\.ba\Mp3tag.exe"C:\Windows\Temp\{8BE7ABCE-405D-42CE-812A-493B1F56F761}\.ba\Mp3tag.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\ProgramData\Wr_Writer\Mp3tag.exeC:\ProgramData\Wr_Writer\Mp3tag.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- System Location Discovery: System Language Discovery
PID:2532
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5ddc2d89f2e5bb0151476934397658617
SHA13674393dac4ae72c217685d354a60c25f3837f08
SHA2564f37d61645894af92ba4d68d31b6d84f1ea56834d0f4ccf858525e687cf587fa
SHA512dc62b29a561b879ed90be27209736f77e4111a482b4ebbb70267f6a16f162cada853508b5b1af9d2d7e2966601bd86e357143c515cce7a3b1bfaa9397c0df097
-
Filesize
12.0MB
MD5a7118dffeac3772076f1a39a364d608d
SHA16b984d9446f23579e154ec47437b9cf820fd6b67
SHA256f1973746ac0a703b23526f68c639436f0b26b0bc71c4f5adf36dc5f6e8a7f4d0
SHA512f547c13b78acda9ca0523f0f8cd966c906f70a23a266ac86156dc7e17e6349e5f506366787e7a7823e2b07b0d614c9bd08e34ca5cc4f48799b0fe36ac836e890
-
Filesize
74KB
MD5946dc224bc5c624516a5a7c198e29f2b
SHA11e00bef81cd7cbfdfd0e1abc4395cd27838061ca
SHA256840357d9542674dfcd1e70ee824fbdd8c0e138959761534acbbd25553c2290fe
SHA512aaab53abca59c915e0eb109fb2b73226671662e92cde4fd554c93046893a4f0cca52f9ad6b9b829374ab557e851f7de3ba4833a4131f1fc7ee734b84701f4ca0
-
Filesize
1002KB
MD5f753ebfcd20924254ca6ef2e450b2d4b
SHA1111b13f7e9aa1322291852a2e4729a22c564a3d4
SHA25672ad670c1d02f919eb49fab3a55cab53dc8fe4c6fff5c14e9f8ab305277a6cce
SHA51248dc896bb3c21fbc70d9e0d458c859361c5cbbc4dc36e4a0c7f79687a264fe29b6d09653e2f3024508b3d3b22b9ae59fe8b7e21d357e7fc5223df2e8535ec2a5
-
Filesize
1.1MB
MD548ad6bd137c6b457d46621118881603e
SHA1b8c177db3fb75c90a6e1d8cb83e8cf6d4ad8992f
SHA2568db2bf1945103d67a73a2d1067d2438bf7da6c40a7e8de99a8433f712a297252
SHA5129c6923f0a35166dc7492beb05ade31eb6e5572afcfb2c006511ab780bdf1cdef1b958057d6fa954873b0228916dbdabdb6daf20a672fc755c94fefd90dff8b14
-
Filesize
315KB
MD548f5aedd31cb66eeec556eaf88962201
SHA15a415d07aec0d88e9e04699e0dcabc6e81805696
SHA2568170e58e75a0389395499ae7a1e2c9fb6055f548a0ef9322ff944b96f698cbb9
SHA5124855bdd9caa4a9946aa5c9a8033965c2dc55461da083aae1ecfadabd5639e5abbe3ef142a36afd0c79a819636824401fa1902297620dc3ae7a4401dec3888140
-
\Windows\Temp\{EE9D0B1A-4496-4D7A-AAC2-7AE180625208}\.cr\de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe
Filesize6.9MB
MD58db744dd49cd575ee3a3a8d80546df82
SHA1433684e875a350927e343c70a1159489201ed2f5
SHA2565f4f1ae19aadbf0f17888bc869a14a6cf98fb52905d089771922674a76e121eb
SHA5127bf08cb19e100e66bf4632cc7ce6b027c2ce6cab88d8c16c6fd404ac86407b5540a434df8004313707147ca1d3fbd6794c4552faeab33830a594b193e5a0023a