Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    18-08-2024 02:21

General

  • Target

    98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe

  • Size

    88KB

  • MD5

    852c0d00b8742475efd18efd62d20a78

  • SHA1

    843fb8261f66bc4217e7d2e07afbe4e069e1e7fd

  • SHA256

    98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6

  • SHA512

    b4a62e31061e3b94387f8a217027c2d2bc65efe19ad272889638056ed55619a7a350c7af9f559d6c265f4408b2e46623d1e89ed4c4a19ada00b8684a32dca6f4

  • SSDEEP

    1536:t5piVnDXkTbhCtaB6GVA/bVQPxfgiqfoOonoKg+yOH5y/yEm:6D0ctAVA/bmxIMnoKjyR/Nm

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe
    "C:\Users\Admin\AppData\Local\Temp\98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Users\Admin\AppData\Local\Temp\98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe
      "C:\Users\Admin\AppData\Local\Temp\98d2db31332c8db37598fda4b9204cda73e3010044b147e927f3a7d40242ebf6.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:11916
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IJGOA.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:6072
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "winlogon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:6000
      • C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
        "C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:6032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IJGOA.bat

    Filesize

    149B

    MD5

    6831b89d0b8dc3e07588d733e75c122b

    SHA1

    8c70088c3224bbaf535ed19ec0f6bd5231c543be

    SHA256

    9fe102f2c6dff35f03787b85f725d12347cf491c897730a7f2e818f65177ffc2

    SHA512

    699fb44a25032ee4ad0ace1f941c826b333baddb65049c22e80b272909e85f4c8a00fef73fe2d97fa8998a0b6969b13461237bfc1e8f9bf711849d17d0cda6da

  • \Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe

    Filesize

    88KB

    MD5

    ad18ce4cfe019db54f72e6085d0b7ca4

    SHA1

    cc981487c2ab91cd1443747304f7ae0ab43ed2ad

    SHA256

    9bbb0ddb5648c92aacdec5b6bae23062a79436a6468cbe21e67492c3cef1d4bc

    SHA512

    354362f8af400bde3e79b9cdb83662528089754cca36f905196ab4660ae0e6d0a813be9b89925827998fe4b3640cd1f45119e6c897a6e2b6d1a87edd138a4378

  • memory/2604-45787-0x00000000003F0000-0x00000000003F2000-memory.dmp

    Filesize

    8KB

  • memory/2604-58-0x00000000003A0000-0x00000000003A1000-memory.dmp

    Filesize

    4KB

  • memory/2604-38-0x0000000000320000-0x0000000000321000-memory.dmp

    Filesize

    4KB

  • memory/2604-218-0x0000000000430000-0x0000000000432000-memory.dmp

    Filesize

    8KB

  • memory/2604-215-0x0000000000420000-0x0000000000422000-memory.dmp

    Filesize

    8KB

  • memory/2604-213-0x00000000003F0000-0x00000000003F2000-memory.dmp

    Filesize

    8KB

  • memory/2604-68-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

  • memory/2604-4-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/2604-45789-0x0000000000430000-0x0000000000432000-memory.dmp

    Filesize

    8KB

  • memory/2604-45788-0x0000000000420000-0x0000000000422000-memory.dmp

    Filesize

    8KB

  • memory/2604-14-0x00000000002D0000-0x00000000002D1000-memory.dmp

    Filesize

    4KB

  • memory/2604-26-0x0000000000300000-0x0000000000301000-memory.dmp

    Filesize

    4KB

  • memory/2604-2-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/6032-540816-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/6032-540823-0x0000000000290000-0x0000000000291000-memory.dmp

    Filesize

    4KB

  • memory/11916-540812-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/11916-540760-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/11916-540769-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/11916-540770-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/11916-540762-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/11916-540768-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/11916-540767-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/11916-540766-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/11916-540764-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB