22503a27c8bd1299e67f484b0c750276323d5a97b9dd45e1da7a935fe377ec1e

Resubmissions

02-08-2024 16:33

240802-t2wr5s1eqj 10

Analysis

max time kernel
148s
max time network
135s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
02-08-2024 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

103KB
MD5

4a953a639593adb97eacef0e3992b818
SHA1

ecf5ae2648ec0660c82912c0fd6ecc7fbfab9df2
SHA256

f3ea4dfbb6a31ba417d3e9caa90159e0e786226743a7b5ed04701f847054366f
SHA512

ea701c6474dfa1d910c5c3abbfa01e615bab73521f841eb15b9d76488cff6e6aa33caff4c7c65bfc97f8ff47e06e17e9979cd0ff305fd18aed76729500822e3b
SSDEEP

3072:d1Gqq3S4eaIv3RcX00sQJS+a/u/uLx0By:d1Gqq3LeRChsQQ+a/x0By

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Sougou.exe

pid process

4760 Sougou.exe

pid	process
4760	Sougou.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1.exeSougou.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Ball = "C:\\progra~1\\Common Files\\Sogou.exe"	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Ball = "C:\\progra~1\\Common Files\\Sogou.exe"	Sougou.exe

Drops file in System32 directory 1 IoCs

Processes:

Sogou.exe

description ioc process

File created C:\Windows\SysWOW64\Sougou.exe Sogou.exe
Drops file in Program Files directory 1 IoCs

Processes:

Sougou.exe

description ioc process

File created C:\progra~1\Common Files\Sogou.exe Sougou.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Sougou.exe	Sogou.exe

description	ioc	process
File created	C:\progra~1\Common Files\Sogou.exe	Sougou.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1.exeSogou.exeSougou.exeSogou.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sogou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sougou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sogou.exe

Suspicious behavior: RenamesItself 3 IoCs

Processes:

1.exeSogou.exeSogou.exe

pid process

4932 1.exe
3052 Sogou.exe
4088 Sogou.exe

pid	process
4932	1.exe
3052	Sogou.exe
4088	Sogou.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1.exeSougou.exe

description	pid	process	target process
PID 4932 wrote to memory of 3052	4932	1.exe	Sogou.exe
PID 4932 wrote to memory of 3052	4932	1.exe	Sogou.exe
PID 4932 wrote to memory of 3052	4932	1.exe	Sogou.exe
PID 4760 wrote to memory of 4088	4760	Sougou.exe	Sogou.exe
PID 4760 wrote to memory of 4088	4760	Sougou.exe	Sogou.exe
PID 4760 wrote to memory of 4088	4760	Sougou.exe	Sogou.exe

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4932

C:\progra~1\Common Files\Sogou.exe
"C:\progra~1\Common Files\Sogou.exe"
2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:3052

C:\Windows\SysWOW64\Sougou.exe
C:\Windows\SysWOW64\Sougou.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4760

C:\progra~1\Common Files\Sogou.exe
"C:\progra~1\Common Files\Sogou.exe"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:4088

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4824

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Sougou.exe
Filesize
27.1MB

MD5
de052bcf8c5f1f9415f1dd02fbf5d7bd

SHA1
100b35c23669a8dae96a144d9fb38d101d56f41d

SHA256
7669cb7d7ac2c19cb83023393655098d3947cbe7cf4b85f77eb75e2847b984e0

SHA512
f7f2b449d941e56ceb0dfade2b99913f95a94741bd6878ba35fba2e5a887857deaf6fb3cb56ad98ffbb0219fbcf28ec275040a917342ba14aa7bafde3bb676c5

Download Submit
memory/3052-3-0x0000000000400000-0x0000000000419EE0-memory.dmp

Filesize
103KB

Download
memory/4088-6-0x0000000000400000-0x0000000000419EE0-memory.dmp

Filesize
103KB

Download
memory/4760-5-0x0000000000400000-0x0000000000419EE0-memory.dmp

Filesize
103KB

Download
memory/4932-4-0x0000000000400000-0x0000000000419EE0-memory.dmp

Filesize
103KB

Download