6528661891b7280d3b198cb54ef2cdbc356192ae92255a076c5048ca722f493c

Analysis

max time kernel
240s
max time network
242s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
07/08/2024, 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GBgvQcZI.exe
Size

5.4MB
MD5

44a4d63d84c1994a941860fdf0a10aae
SHA1

0150f8f5bda824262045c0527fde43a7907769a9
SHA256

ef4b5c68a718ac34a957ada64a366868b7a609887208634d46e5ad75a8c70bdc
SHA512

91c7a98e242791fab3d387d7df2a41e9880ef5a4038324222e095f894b68530cad1cba17a195f7a4c5aff32162368c54c60a11afa567699807df630a35d92276
SSDEEP

98304:CuWti1XTyinOyRivbmBoPhvTdhnstbgjO2rXftnFO8KDTkecARNFh/B:C9gTyZyRcbsoPZm8fO8skec2h5

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2452	bhUYOqb.exe

Loads dropped DLL 4 IoCs

pid	Process
1712	GBgvQcZI.exe
1712	GBgvQcZI.exe
1712	GBgvQcZI.exe
1712	GBgvQcZI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GBgvQcZI.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2452	1712	GBgvQcZI.exe	29
PID 1712 wrote to memory of 2452	1712	GBgvQcZI.exe	29
PID 1712 wrote to memory of 2452	1712	GBgvQcZI.exe	29
PID 1712 wrote to memory of 2452	1712	GBgvQcZI.exe	29

C:\Users\Admin\AppData\Local\Temp\GBgvQcZI.exe
"C:\Users\Admin\AppData\Local\Temp\GBgvQcZI.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\bhUYOqb.exe
  "C:\Users\Admin\AppData\Local\Temp\bhUYOqb.exe"
  2⤵
  - Executes dropped EXE
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\bhUYOqb.exe

Filesize
125KB

MD5
4672adb9826ab075ef62f2739cfd64dd

SHA1
501581229a209a6b44c999a56916d5bf182ed29a

SHA256
2b9901eb640caec6a590be613800396ec132689c66de2be128915ee86c4c9367

SHA512
f165dd7c13af6adc195bbff34b2daa5c7f156eac04672d583161c31d6191bd07f762a612adc08cf44a8f8284133505de207d79a083163421a1b26717225aa207

Download Submit