Overview

overview

7

Static

static

3

7264e06415...0N.exe

windows7-x64

7

7264e06415...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    102s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/08/2024, 06:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7264e06415d44a4f27a742b656bcf300N.exe

  • Size

    108KB

  • MD5

    7264e06415d44a4f27a742b656bcf300

  • SHA1

    3e54aeedad0e6e2fbce41cd25dd3a218445a36dc

  • SHA256

    c4fb2c64f21ff9af561dddfd4e7cdfbac306d567cfa47dcac9db1c70ef6930c2

  • SHA512

    baa2a7beb833d4f1ed1fe2c6ca147b2ca6400e0fe8ea13d5f5537a5382e4bd21658857970ff21ee758dcd13c2b40ffbf36d60b70e798e3c68eb38e90aebfa1df

  • SSDEEP

    1536:fm6qIzdCg0b6shaFMF2yC1PYm4PwYFatvmUgUe/lVyiiyaECHAX5mROMwOMQXp:e6l8gI4MFvg74PwYFaRElVNie0ROfOlp

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7264e06415d44a4f27a742b656bcf300N.exe
    "C:\Users\Admin\AppData\Local\Temp\7264e06415d44a4f27a742b656bcf300N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2004
    • \??\c:\users\admin\appdata\local\temp\winlgon.exe
      c:\users\admin\appdata\local\temp\winlgon.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1096
      • C:\Users\Admin\AppData\Local\Temp\rgsvr32.exe
        C:\Users\Admin\AppData\Local\Temp\rgsvr32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1164

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\rgsvr32.exe
    Filesize

    32KB

    MD5

    c69668e8701ace09333e5fa5f81b7338

    SHA1

    3a0c8aa50e729b7131dd357915bc05cd209175cf

    SHA256

    5741ea1c2beb231b8eb92219a7db7f5f12bd79eb75bdf26ad55587df8c4d6956

    SHA512

    cc1fd3929e06867eff252b7e0d8740f1c1d5d6480e45152d01efe565b60c6a1fdbc6529d37c7bc9a4016678f9abccae2aa1ba6dec071a7a8dd237ef0f3dfd166

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\winlgon.exe
    Filesize

    108KB

    MD5

    1788f4d304843451183ed7b8b5f81627

    SHA1

    3b9baf324f6fed54c0acf5351702be5b5aedc608

    SHA256

    3db68cbe38693eae62a4bc853f83ea1037e6d32fcf6cf694487a92dd5d5b6f0f

    SHA512

    5906589118544b28a8c4dd9241fdac3cb51fee21ea380d9852a8d604a7a4f967172771a2c2982349d7a256b97c9e761ce0b671ce11b20774898c843982557c07

    Download Submit