5d236aec150031b67d9f607ef55b8a9147d80290b0c8b7dec079ca3ea335ccaf

Analysis

max time kernel
140s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ppk.exe
Size

8.0MB
MD5

0f95b520713b5a4317cd52b79081b495
SHA1

87dcd2bad75951c2b107e99e9b6786848eb57daa
SHA256

5b1d77568a4f3c506596129e7cb5faa35d9401b30201369ae6e6f982d32d6a5b
SHA512

bb59eb107413db21d9162f4ee705e479fdd55f6d58049ed6e8c634baad31b46976659aaf5a9e0cd6df0def3692488d4b7d477fcc42859ecbaed57afccf300b59
SSDEEP

196608:c+T3ym4QX+zLeUZWWzKEF+dsdcoyUdvjx/+uZwX:cWCVQX+zLTWv6ECxtZwX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2272	is-OV2JN.tmp

Loads dropped DLL 3 IoCs

pid	Process
948	ppk.exe
2272	is-OV2JN.tmp
2272	is-OV2JN.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-OV2JN.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2272	is-OV2JN.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 2272	948	ppk.exe	29
PID 948 wrote to memory of 2272	948	ppk.exe	29
PID 948 wrote to memory of 2272	948	ppk.exe	29
PID 948 wrote to memory of 2272	948	ppk.exe	29
PID 948 wrote to memory of 2272	948	ppk.exe	29
PID 948 wrote to memory of 2272	948	ppk.exe	29
PID 948 wrote to memory of 2272	948	ppk.exe	29

C:\Users\Admin\AppData\Local\Temp\ppk.exe
"C:\Users\Admin\AppData\Local\Temp\ppk.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:948
- C:\Users\Admin\AppData\Local\Temp\is-372DF.tmp\is-OV2JN.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-372DF.tmp\is-OV2JN.tmp" /SL4 $401B6 "C:\Users\Admin\AppData\Local\Temp\ppk.exe" 8162488 54784
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-372DF.tmp\is-OV2JN.tmp

Filesize
638KB

MD5
dc3b6973851ecd9f9f8a1c048fda4774

SHA1
ecf7f0cd0b666d2d63ab8c2fc5e92225f6d575bd

SHA256
a18d6048049272ab90a49579f18965889bddc391adadfacdbff922e3bdd75de6

SHA512
109f502869e640c2c70eb29bdb58ea2b1e40c274cf7165b40a7303efa47b738c8522b62b9d176051ffdc0d7a4ed820fd4eed0646dd357dc5cb2ff836d5bf5bb8

Download Submit
\Users\Admin\AppData\Local\Temp\is-TN9S3.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/948-2-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/948-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/948-15-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2272-16-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download