0ace954b2268b9c7c12b15cda24af0610ccbd7aeb2bc2faf0a717bc0ba4dca8e

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.8MB
MD5

77bfacca17ee1d89833b57f3a746d9a0
SHA1

aa9490c913489c5eafd02f67f875efcb56d23036
SHA256

38571b0965110d07c6fbf4813ab628d4017cf52c681c457fb3f184b644fb0b52
SHA512

21ecc2fce94a58cd39127964730b01722b9dafa20d3af65b023fe83188c08211ba1324849513ffc10b6a359737f98c4d06770dc1954f8880daff938a06581e6f
SSDEEP

49152:/SNY8H0ZGF5j51XdQTPRPgojx1NslvUOl/WkMWAH:oY00Z8F1XdUL

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$_3_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
844	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
844	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2692	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2692	$_3_.exe
2692	$_3_.exe
2692	$_3_.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 1752	2692	$_3_.exe	31
PID 2692 wrote to memory of 1752	2692	$_3_.exe	31
PID 2692 wrote to memory of 1752	2692	$_3_.exe	31
PID 2692 wrote to memory of 1752	2692	$_3_.exe	31
PID 1752 wrote to memory of 844	1752	cmd.exe	33
PID 1752 wrote to memory of 844	1752	cmd.exe	33
PID 1752 wrote to memory of 844	1752	cmd.exe	33
PID 1752 wrote to memory of 844	1752	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\17258.bat" "C:\Users\Admin\AppData\Local\Temp\400E396E4AE54F3199444B227FDECFFF\""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\17258.bat

Filesize
214B

MD5
739fcc7ba42b209fe44bea47e7a8c48f

SHA1
bc7a448a7c018133edcf012bc94301623eb42c5b

SHA256
69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c

SHA512
2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a

Download Submit
C:\Users\Admin\AppData\Local\Temp\400E396E4AE54F3199444B227FDECFFF\400E396E4AE54F3199444B227FDECFFF_LogFile.txt

Filesize
9KB

MD5
389b3c22e388f1ad633cd3231d728c6e

SHA1
44e866eb2a4aafdc30799cd9a1fb708b16626258

SHA256
247537b095deaff3d8f9ee230fac421e8176057f49f9d662da986103c388546d

SHA512
58cb8e42afbbe15ba41c370ca76d874d709044148ab77de8ece95e877a857f0247ce5d176225e2710ca403b66b4163b1883534de1a020aec87f507e309b8e217

Download Submit
C:\Users\Admin\AppData\Local\Temp\400E396E4AE54F3199444B227FDECFFF\400E39~1.TXT

Filesize
124KB

MD5
564ecd0a0ad532fec9d2737b860c8bf9

SHA1
578e11a71760fef5e5477ec5d9a8b795b776b3ba

SHA256
c5de767d102d80ceb0b2112662d66ed57063d56abb53d15c4be49eee33dba3c6

SHA512
480c4939734e8f89daae382f0b408c3f4d05e5b8f5547fcd9518777b29793ccde31de4feca4fca218520d06b30b7b3ac4b174c07255df9ebebea8f7cb121eaa0

Download Submit
memory/2692-63-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download