07b6246eae5c01819475f3d1a0a10d4f7d6a50359260256f9ccaee686fa2d299

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe
Size

208KB
MD5

d2bc8adaeb18ec8f5894bc4a1657d1d0
SHA1

aa4fcfd5dbd72bbbd6d5cea3789d6dd16e0e6104
SHA256

07b6246eae5c01819475f3d1a0a10d4f7d6a50359260256f9ccaee686fa2d299
SHA512

bf299dae8e5055ee7b596bc84c70d6405616d3ff4de401c2cec53c2dfef4b2803c31c22e34fd49a6741b3974292744b1e12776edc4fd52958c757c125cf0aca0
SSDEEP

6144:arYTgEMnRNLPI3YHB9/vMYRbbdfHKPQEj:OBEIjU8IPQ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2788	CYJGJIY.exe

Loads dropped DLL 2 IoCs

pid	Process
2700	cmd.exe
2700	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\CYJGJIY.exe	d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe
File opened for modification	C:\windows\SysWOW64\CYJGJIY.exe	d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe
File created	C:\windows\SysWOW64\CYJGJIY.exe.bat	d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CYJGJIY.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2756	d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe
2756	d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe
2788	CYJGJIY.exe
2788	CYJGJIY.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2756	d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe
2756	d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe
2788	CYJGJIY.exe
2788	CYJGJIY.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2700	2756	d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe	31
PID 2756 wrote to memory of 2700	2756	d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe	31
PID 2756 wrote to memory of 2700	2756	d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe	31
PID 2756 wrote to memory of 2700	2756	d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe	31
PID 2700 wrote to memory of 2788	2700	cmd.exe	33
PID 2700 wrote to memory of 2788	2700	cmd.exe	33
PID 2700 wrote to memory of 2788	2700	cmd.exe	33
PID 2700 wrote to memory of 2788	2700	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe
"C:\Users\Admin\AppData\Local\Temp\d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\CYJGJIY.exe.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\windows\SysWOW64\CYJGJIY.exe
    C:\windows\system32\CYJGJIY.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\CYJGJIY.exe.bat

Filesize
78B

MD5
f3f8ccdad7706ea222cdc6267a248709

SHA1
98c9a3465e83ca50a524c290aad06009eb8f061e

SHA256
40e4fa49f2397f8ca6cd90f58cc752abeeee7769ee844357d69f47f15dde179b

SHA512
afb128228d58200b7b351a19f2ffc5233e6d11c9aff00cc2068d685fd014d838504f5bab7d5c1157adb6e309a1623d4ecb962c04905c72388c0463a50cfca8f7

Download Submit
\Windows\SysWOW64\CYJGJIY.exe

Filesize
208KB

MD5
28ef4359b5633eeeb0bdff7b96ed493a

SHA1
e5493ac90336355e641cf6399d9789819b22b69f

SHA256
7756cf91b066024a775e1c615f57eda4f8268c2f79f5ce8202d1740a4d31f86d

SHA512
2c2ec0daabe688417389c8bd406029f0ce5f4fc0b8918721f3befef04965507ef43a9c8039205f51ea9b5cee14d9487b4cfc7140caba5e4b63ffd6f6109a577e

Download Submit
memory/2700-18-0x0000000000140000-0x0000000000178000-memory.dmp

Filesize
224KB

Download
memory/2700-17-0x0000000000140000-0x0000000000178000-memory.dmp

Filesize
224KB

Download
memory/2756-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2756-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2788-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2788-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download