Overview

overview

7

Static

static

3

a91efe5e0a...0N.exe

windows7-x64

7

a91efe5e0a...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13/08/2024, 23:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a91efe5e0ada9f637bcfdf9da117e490N.exe

  • Size

    176KB

  • MD5

    a91efe5e0ada9f637bcfdf9da117e490

  • SHA1

    7e347fbb376b7f83300b4338f8c87fe4f7b95adb

  • SHA256

    b12b03fcc165648292cd21e6e504f92f611a4a2fb0f865929b67b47580390da2

  • SHA512

    0d6a538f456c88903c22fa2bb3f0192036808ef4cce76a4b0e43d881d460adf8f053f3da1662ca484b7a2f2e6d619617d5c01cfc11f45d3d3f46aa9ffede6c29

  • SSDEEP

    3072:s9E4Wgbr57BVFqmx1E9Hqmz674Qbf6xET/nhqCoNWDY1TuDBujfgY1LRQBAhHuYK:+0MJBVlx+Vf274Q2xqhxoNH1Ti5YtuY

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1228
    • C:\Users\Admin\AppData\Local\Temp\a91efe5e0ada9f637bcfdf9da117e490N.exe
      "C:\Users\Admin\AppData\Local\Temp\a91efe5e0ada9f637bcfdf9da117e490N.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Users\Admin\AppData\Roaming\mtstcont\MuiUdt32.exe
        "C:\Users\Admin\AppData\Roaming\mtstcont\MuiUdt32.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3020
        • C:\Users\Admin\AppData\Local\Temp\~F90E.tmp
          "C:\Users\Admin\AppData\Local\Temp\~F90E.tmp"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2216
      • C:\Windows\SysWOW64\cmd.exe
        /C 259455324.cmd
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1832
        • C:\Windows\SysWOW64\attrib.exe
          attrib -r -s -h "a91efe5e0ada9f637bcfdf9da117e490N.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2784
  • C:\Windows\SysWOW64\cmstpugc.exe
    C:\Windows\SysWOW64\cmstpugc.exe -k
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\259455324.cmd
    Filesize

    198B

    MD5

    c9ba42f5ee7e20bf84e73fac573830ff

    SHA1

    91af7786e61b3ae8cfaf1302db79bc0793c09aba

    SHA256

    1382f7673903b961a857f26463a1989ad0011e19820dcb8ebed6f030d6bac0c9

    SHA512

    6bf9303fca07d2dd86cc377830282a27c52aac69ea611aff471b4f65b3bf4eb59ad9b2b63cb170261b9ca5b9250a34efa6a5b31bb796837119038882bad3fe1b

    Download Submit

  • C:\Windows\SysWOW64\cmstpugc.exe
    Filesize

    176KB

    MD5

    a91efe5e0ada9f637bcfdf9da117e490

    SHA1

    7e347fbb376b7f83300b4338f8c87fe4f7b95adb

    SHA256

    b12b03fcc165648292cd21e6e504f92f611a4a2fb0f865929b67b47580390da2

    SHA512

    0d6a538f456c88903c22fa2bb3f0192036808ef4cce76a4b0e43d881d460adf8f053f3da1662ca484b7a2f2e6d619617d5c01cfc11f45d3d3f46aa9ffede6c29

    Download Submit

  • \Users\Admin\AppData\Local\Temp\~F90E.tmp
    Filesize

    6KB

    MD5

    bf16ffc0fc2f9793ddc7cf52a5e1d73f

    SHA1

    9b6379e7f12d7438091fdb291680313dfd77c7b1

    SHA256

    68eb2116f720064a1d242332c6f9317d4fc68366a79fce4bc0e0dbb20065daba

    SHA512

    a5d39505f8f2181caa291276b27a5e1a336470db46b8a4d7008feae1e176d0121ff77172a8852a814212ae7ed004afcff0c0ed8caa38fadd8b1137661cb473e5

    Download Submit

  • \Users\Admin\AppData\Roaming\mtstcont\MuiUdt32.exe
    Filesize

    176KB

    MD5

    879d78d7a8a21e3ec680ebd26cf8d9f4

    SHA1

    b5f196f414a28196f091d81487ab626f03328557

    SHA256

    ca47a78e350d547f2a5329050948e8cff45446eb77960e0a70456eb78ecbe76b

    SHA512

    e1a431732a4ac16cbe23ce3960f1c166df8cd1e2bae4a1054597b617f50c70ab454d603b6db26a2a70aace7feb91c0e0642f3ab4818fb5ad7b6c35b0e551f9b6

    Download Submit

  • memory/1228-17-0x0000000002EE0000-0x0000000002F23000-memory.dmp

    Filesize

    268KB

    Download

  • memory/1228-18-0x0000000002EE0000-0x0000000002F23000-memory.dmp

    Filesize

    268KB

    Download

  • memory/1228-16-0x0000000002EE0000-0x0000000002F23000-memory.dmp

    Filesize

    268KB

    Download

  • memory/2360-0-0x00000000000E0000-0x0000000000120000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2768-25-0x0000000000140000-0x0000000000180000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2768-28-0x0000000000140000-0x0000000000180000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2768-27-0x0000000000140000-0x0000000000180000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3020-12-0x0000000000250000-0x0000000000290000-memory.dmp

    Filesize

    256KB

    Download