9608129701213f7565040f385e8c263d0daaa01ce31dcc7f95a7584c7bf4ad44

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
31-07-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6b7cb431b16723bce5523e0ac0c99fe0e583afaf1154f51cffee7420fe4dd74.exe
Size

1.1MB
MD5

5a4f537ffd75be93484d34543127898c
SHA1

3b70254cce9cfcae221637c00610c6a7543f0272
SHA256

d6b7cb431b16723bce5523e0ac0c99fe0e583afaf1154f51cffee7420fe4dd74
SHA512

871b2c0ab547ac8e8dd38f6500fd59a190cc04f53282a2eee77641d2e5139c9788aa40cd9dc4ae8bccfc2be04fadb7ce20f3f36592b660a404d93972d90c1a87
SSDEEP

24576:wx4tQdKLXCSDZGQQi8h+GT7cVhn6hxEx1FATbticaqKd:wx4tx1oh+G7cv6hOSicaqe

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
25	2988	WScript.exe
27	2988	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation	d6b7cb431b16723bce5523e0ac0c99fe0e583afaf1154f51cffee7420fe4dd74.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation	Trascinava.exe.com

Executes dropped EXE 2 IoCs

pid	Process
1264	Trascinava.exe.com
404	Trascinava.exe.com

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	iplogger.org
25	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trascinava.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6b7cb431b16723bce5523e0ac0c99fe0e583afaf1154f51cffee7420fe4dd74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	makecab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trascinava.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
960	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Trascinava.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Trascinava.exe.com

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000_Classes\Local Settings	Trascinava.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
960	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 1936	4420	d6b7cb431b16723bce5523e0ac0c99fe0e583afaf1154f51cffee7420fe4dd74.exe	86
PID 4420 wrote to memory of 1936	4420	d6b7cb431b16723bce5523e0ac0c99fe0e583afaf1154f51cffee7420fe4dd74.exe	86
PID 4420 wrote to memory of 1936	4420	d6b7cb431b16723bce5523e0ac0c99fe0e583afaf1154f51cffee7420fe4dd74.exe	86
PID 4420 wrote to memory of 2744	4420	d6b7cb431b16723bce5523e0ac0c99fe0e583afaf1154f51cffee7420fe4dd74.exe	88
PID 4420 wrote to memory of 2744	4420	d6b7cb431b16723bce5523e0ac0c99fe0e583afaf1154f51cffee7420fe4dd74.exe	88
PID 4420 wrote to memory of 2744	4420	d6b7cb431b16723bce5523e0ac0c99fe0e583afaf1154f51cffee7420fe4dd74.exe	88
PID 2744 wrote to memory of 828	2744	cmd.exe	90
PID 2744 wrote to memory of 828	2744	cmd.exe	90
PID 2744 wrote to memory of 828	2744	cmd.exe	90
PID 828 wrote to memory of 2184	828	cmd.exe	91
PID 828 wrote to memory of 2184	828	cmd.exe	91
PID 828 wrote to memory of 2184	828	cmd.exe	91
PID 828 wrote to memory of 1264	828	cmd.exe	92
PID 828 wrote to memory of 1264	828	cmd.exe	92
PID 828 wrote to memory of 1264	828	cmd.exe	92
PID 828 wrote to memory of 960	828	cmd.exe	93
PID 828 wrote to memory of 960	828	cmd.exe	93
PID 828 wrote to memory of 960	828	cmd.exe	93
PID 1264 wrote to memory of 404	1264	Trascinava.exe.com	94
PID 1264 wrote to memory of 404	1264	Trascinava.exe.com	94
PID 1264 wrote to memory of 404	1264	Trascinava.exe.com	94
PID 404 wrote to memory of 2988	404	Trascinava.exe.com	97
PID 404 wrote to memory of 2988	404	Trascinava.exe.com	97
PID 404 wrote to memory of 2988	404	Trascinava.exe.com	97

C:\Users\Admin\AppData\Local\Temp\d6b7cb431b16723bce5523e0ac0c99fe0e583afaf1154f51cffee7420fe4dd74.exe
"C:\Users\Admin\AppData\Local\Temp\d6b7cb431b16723bce5523e0ac0c99fe0e583afaf1154f51cffee7420fe4dd74.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\SysWOW64\makecab.exe
  "C:\Windows\System32\makecab.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c RlFBBTBnWWwxXYwFINyxjFlP & APjAehxPNGRyRlxhFSeDuKfwKH & cmd < Aprile.msi
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^gPIKOQDiOVOQAkxOJpjaiBEhzvnzmHdsLNWlyPxotLIoNpJmItLcVfDMkcdsalIiEvtNgpITPtgcTcmlNYKxWUvvplZJnePUrBDdyWkmcRGRwoSQWuDxmhlJqIDtlZcMg$" Tese.msi
      4⤵
      System Location Discovery: System Language Discovery
      PID:2184
  - - C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Trascinava.exe.com
      Trascinava.exe.com Y
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1264
    - - C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Trascinava.exe.com
        
        C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Trascinava.exe.com Y
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nrmdvgocmm.vbs"
        6⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:2988
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1132.tmp

Filesize
311B

MD5
9105750f17d90587cfdb3073e3db4b41

SHA1
68299e57ccb94050710511c9fba7f144af55038d

SHA256
325bea9d40295cd711d613b7dcb0958e04a537f751b177573a9c40303a4879f9

SHA512
07fcd8e2811bc7d8a481694d32a8d220a03ec99dfd8b9f55de99ff8327d392c6afbd821358b5087e29120b5a6d706f258c723585d3c69a26c1b0c385722256de

Download Submit
C:\Users\Admin\AppData\Local\Temp\nrmdvgocmm.vbs

Filesize
142B

MD5
8e72fa6d33a391611fd671db85b674cf

SHA1
d408356109ae9b158ebe87cf5a56a34e1bf3d34f

SHA256
0452e5e00edef25f66bb4af0ca123bb953ddb315eef34f04e28eda96b75c8c29

SHA512
f93647b931879ce020e2079348b5c088cd2c8c647eeae60d6e4a5d4d3430272aaa6451719f985695ee790ed72d28cd59133a6faf38eb968640b4d63ce7f7e0c3

Download Submit
C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Aprile.msi

Filesize
111KB

MD5
8467341efcb627b3b7c7997b9d18a2b3

SHA1
7902e7833c474f2fe4bd88669fcb103c8191617e

SHA256
7f8560f97d2f23f4006ca8bef5d9682f1e621636f821cc03ba2187835443dab4

SHA512
fb59e9b9c0a463977f1100076f37193dcfa29e2dac2487a19914409c78134b741ecdf59cf3797ccffb5628be008068e0e09d57326487dcc9f3c7864e859cf418

Download Submit
C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Distrugge.msi

Filesize
635KB

MD5
ca9ab8aa57ce91b56ea5f97fc2ff6deb

SHA1
0aed949c17de918b8fcdc28112279bd949660369

SHA256
1c62c5b0f8c9f1f6ebbe1df515175b6a5620c6c623d3c51b05042a1646bb4d02

SHA512
4f4f6037802a2dca4cee15c8564a2f0755aeb94903eb4467407c1a735d980333a4eb7b1b1ef4cf0923aefdb5a42fc6d4287139a7357ea9daa83783f8e1cb5c53

Download Submit
C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Invece.msi

Filesize
140KB

MD5
47ebadd7365c2186dacce71f058e30f0

SHA1
3ed2838977d943570245762f220ab6e790cc1a05

SHA256
9ef508c77abe54699966ce4bb3328e7fc76f3b8ad3b22e53ff5e449f238b7b2f

SHA512
2cebcac856c1b07f852edeed14b004db34204ca072c21daae5b0ebe726107243f5bf37062b4694a50a558add81ec9b546c3bc1c0f5fa6bb7cd73afebd82a3c41

Download Submit
C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Tese.msi

Filesize
921KB

MD5
c5de73401a4ad08730d7448f9db41add

SHA1
81bc3db1099aba71c987f8fd889d706a23618ca7

SHA256
aefe8c340ebcceae51f9017ccf56a74a6f5efc5012523d68a76b2d397dbc238a

SHA512
3004583935d5c1aa2e118abbe197bcac4c2f2f005741b9aef751d8de0b35acbc71ecd7993de44b32c4df45458c74e54c387fe88b842086583383f8625dc7cdb2

Download Submit
C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Trascinava.exe.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/404-22-0x0000000003F60000-0x0000000003F88000-memory.dmp

Filesize
160KB

Download
memory/404-24-0x0000000003F60000-0x0000000003F88000-memory.dmp

Filesize
160KB

Download
memory/404-25-0x0000000003F60000-0x0000000003F88000-memory.dmp

Filesize
160KB

Download
memory/404-26-0x0000000003F60000-0x0000000003F88000-memory.dmp

Filesize
160KB

Download
memory/404-23-0x0000000003F60000-0x0000000003F88000-memory.dmp

Filesize
160KB

Download
memory/404-21-0x0000000003F60000-0x0000000003F88000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads