Analysis

  • max time kernel
    38s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    06-08-2024 22:16

General

  • Target

    5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe

  • Size

    281KB

  • MD5

    e2e03488307f8b2d60de71cde2cdc8ac

  • SHA1

    5a4b5583bb23bdd6c0920d76d0be61f883f10c7f

  • SHA256

    5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3

  • SHA512

    4a3d65d5d946e616b8b65af0e8d797af1b6c3c95af56d38cafb3c13d3d06062d43c13da9d7f8ace5f8ef728515b79646782124b1975a39de124e70023df959ff

  • SSDEEP

    6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkfv:boSeGUA5YZazpXUmZhZ6SK

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe
    "C:\Users\Admin\AppData\Local\Temp\5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
      "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
        "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
        3⤵
          PID:2972

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

      Filesize

      281KB

      MD5

      92b2c0fe8d5f5146c29520a34e51d2a1

      SHA1

      0130a602ddfd766d4f910720f232772e9fa6ec4b

      SHA256

      66f3be3ec13c7cc9465e8568254140bbbfd33e1cf8b3b6bbd94fe0d4ba1d5c68

      SHA512

      c485219175328f2aba8e529a7de56a8e23038f520316888a06c3a8d4787b796c4b22dd6ab531c1dc5989a9ab244c58187b23d71b1b8f624a5eb211f8886526a4

    • memory/1668-0-0x0000000074021000-0x0000000074022000-memory.dmp

      Filesize

      4KB

    • memory/1668-1-0x0000000074020000-0x00000000745CB000-memory.dmp

      Filesize

      5.7MB

    • memory/1668-2-0x0000000074020000-0x00000000745CB000-memory.dmp

      Filesize

      5.7MB

    • memory/1668-3-0x0000000074020000-0x00000000745CB000-memory.dmp

      Filesize

      5.7MB

    • memory/1668-12-0x0000000074020000-0x00000000745CB000-memory.dmp

      Filesize

      5.7MB

    • memory/2684-14-0x0000000074020000-0x00000000745CB000-memory.dmp

      Filesize

      5.7MB

    • memory/2684-15-0x0000000074020000-0x00000000745CB000-memory.dmp

      Filesize

      5.7MB

    • memory/2684-16-0x0000000074020000-0x00000000745CB000-memory.dmp

      Filesize

      5.7MB

    • memory/2684-13-0x0000000074020000-0x00000000745CB000-memory.dmp

      Filesize

      5.7MB

    • memory/2684-18-0x0000000074020000-0x00000000745CB000-memory.dmp

      Filesize

      5.7MB

    • memory/2684-19-0x0000000074020000-0x00000000745CB000-memory.dmp

      Filesize

      5.7MB