3bdbca5f67754b92ff8d89e2db9f0ed3c5d50f8b434577866d18faa4c1fd343c

Analysis

max time kernel
100s
max time network
142s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06/08/2024, 22:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3bdbca5f67754b92ff8d89e2db9f0ed3c5d50f8b434577866d18faa4c1fd343c.exe
Size

898KB
MD5

eeecdefa939b534bc8f774a15e05ab0f
SHA1

4a20176527706aea33b22f436f6856572a9e4946
SHA256

3bdbca5f67754b92ff8d89e2db9f0ed3c5d50f8b434577866d18faa4c1fd343c
SHA512

3253eaebc2b14186131ac2170f8a62fe8271bf20ddf8b1024036fd1f9a00ea2d8d8b79646af9a8476d440374146bec3130591779b083905563146921b969b381
SSDEEP

24576:juDXTIGaPhEYzUzA0aCuDXTIGaPhEYzUzA0bhK:KDjlabwz9QDjlabwz9lK

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3916	clamer.exe
3548	fseawd.exe
3276	ulex.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Test Task17.job	fseawd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fseawd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ulex.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 4100	3044	3bdbca5f67754b92ff8d89e2db9f0ed3c5d50f8b434577866d18faa4c1fd343c.exe	81
PID 3044 wrote to memory of 4100	3044	3bdbca5f67754b92ff8d89e2db9f0ed3c5d50f8b434577866d18faa4c1fd343c.exe	81
PID 4100 wrote to memory of 3916	4100	cmd.exe	85
PID 4100 wrote to memory of 3916	4100	cmd.exe	85
PID 3916 wrote to memory of 3548	3916	clamer.exe	87
PID 3916 wrote to memory of 3548	3916	clamer.exe	87
PID 3916 wrote to memory of 3548	3916	clamer.exe	87

C:\Users\Admin\AppData\Local\Temp\3bdbca5f67754b92ff8d89e2db9f0ed3c5d50f8b434577866d18faa4c1fd343c.exe
"C:\Users\Admin\AppData\Local\Temp\3bdbca5f67754b92ff8d89e2db9f0ed3c5d50f8b434577866d18faa4c1fd343c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe
    clamer.exe -priverdD
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\fseawd.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\fseawd.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:3548

C:\ProgramData\vqlfvc\ulex.exe
C:\ProgramData\vqlfvc\ulex.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
37B

MD5
28151380c82f5de81c1323171201e013

SHA1
ae515d813ba2b17c8c5ebdae196663dc81c26d3c

SHA256
bb8582ce28db923f243c8d7a3f2eccb0ed25930f5b5c94133af8eefb57a8231d

SHA512
46b29cba0dc813de0c58d2d83dc298fa677921fd1f19f41e2ed3c7909c497fab2236d10a9ae59b3f38e49cf167964ede45e15543673a1e0843266242b8e26253

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe

Filesize
453KB

MD5
135b0687503cb65f57e494eed9a6f551

SHA1
a4ed81f972c32d3170b5b33e67a41abbd6c1184a

SHA256
acc6551cf9cf2b8292f8f384467920fc633fdcdc4e5431794dd850ae66a8a457

SHA512
9253143306c6733180b0bea3c7463b4ca8d22a970a65eae05f766ced87ed973c0670867f69b8c72d318d93719da712276e64041a8b4269e818e41de113f6e22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fseawd.exe

Filesize
16KB

MD5
e7d405eec8052898f4d2b0440a6b72c9

SHA1
58cf7bfcec81faf744682f9479b905feed8e6e68

SHA256
b63a0e5f93b26ad0eeb9efba66691f3b7e7f51e93a2f0098bde43833f7a24cc2

SHA512
324507084bd56f7102459efe7b3c2d2560f4e89ed03ec4a38539ebb71bccdf1def7bc961c259f9b02f4b2be0d5e095136c9efcd5fc3108af3dc61d24970d6121

Download Submit
C:\Windows\Tasks\Test Task17.job

Filesize
234B

MD5
40f7e7530b89cc55e036e9c5611457ca

SHA1
04837a149cd5768880b22435d1124e8efc1ed86f

SHA256
21c93c6f2721057db384e96e54a34a5c6177f0aefbbbeff10289b3dd4d4ae55a

SHA512
0dd59907dee70e3756411d1ac59e036cec2296405081d30e78e2206754b12b7ad4e834ff213706bede8a9c64b10db307efb1026f7ab90884fc848c818decfaa9

Download Submit