1cc7e3c2c71cf510a446d25c502464d359b7fc9205fb85b1883e6147cf4e9e6b

Analysis

max time kernel
132s
max time network
133s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/MP3RocketBundle.exe
Size

100KB
MD5

4e9f889d566a3e9a01874b1e6ed81529
SHA1

6cbe50c018f98400e8a79cfe4ba6424d5e4a8a65
SHA256

a30cacd1ab22f54068ea2bc76ba188a8b6f738a8d62bbb0908883d6cb20d55d8
SHA512

09a55950156f219628c07b882843040eebbce3f1dff3f2462f23b746a9acd542230bd9da24455ba7911a2e28cddc3f27b193a4a61bfaab70d1621b730524a764
SSDEEP

1536:u42cPHBg5mVXkJFw/Z4RoFCtQuYcefNF7P35URJ/IVcKXV4d6v//dGF:u42U65mXkJFU4pCC47P35URBIV1id5F

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1684	zwankysearch-stub.exe
1384	zwankysearch-stub.exe

Loads dropped DLL 16 IoCs

pid	Process
2888	MP3RocketBundle.exe
2888	MP3RocketBundle.exe
2888	MP3RocketBundle.exe
2888	MP3RocketBundle.exe
2888	MP3RocketBundle.exe
2888	MP3RocketBundle.exe
2888	MP3RocketBundle.exe
2888	MP3RocketBundle.exe
2888	MP3RocketBundle.exe
2888	MP3RocketBundle.exe
2888	MP3RocketBundle.exe
2888	MP3RocketBundle.exe
2888	MP3RocketBundle.exe
2888	MP3RocketBundle.exe
2888	MP3RocketBundle.exe
1684	zwankysearch-stub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MP3RocketBundle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zwankysearch-stub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zwankysearch-stub.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 1684	2888	MP3RocketBundle.exe	31
PID 2888 wrote to memory of 1684	2888	MP3RocketBundle.exe	31
PID 2888 wrote to memory of 1684	2888	MP3RocketBundle.exe	31
PID 2888 wrote to memory of 1684	2888	MP3RocketBundle.exe	31
PID 1684 wrote to memory of 1384	1684	zwankysearch-stub.exe	32
PID 1684 wrote to memory of 1384	1684	zwankysearch-stub.exe	32
PID 1684 wrote to memory of 1384	1684	zwankysearch-stub.exe	32
PID 1684 wrote to memory of 1384	1684	zwankysearch-stub.exe	32

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MP3RocketBundle.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MP3RocketBundle.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\zwankysearch-stub.exe
  zwankysearch-stub.exe -override -t ZwankyMp3rocket -i 0c7e7a80b71443caa38846e5545b197a -p -p ZwankyMp3rocket -i 0c7e7a80b71443caa38846e5545b197a /S
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\zwankysearch-stub.exe
    C:\Users\Admin\AppData\Local\Temp\zwankysearch-stub.exe -bkg -override -t ZwankyMp3rocket -i 0c7e7a80b71443caa38846e5545b197a -p -p ZwankyMp3rocket -i 0c7e7a80b71443caa38846e5545b197a /S
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\stb23F6.tmp\setup.exe

Filesize
763B

MD5
b041950be72e5343c8d8cda8b1294d98

SHA1
6346d07d1c0589e471eb4fdf10ff4aab671ebaac

SHA256
05deac35ebe2e9081c3c6708c2dda1b4d81fd8c44b7023d9dc29fe71470932cb

SHA512
ed4b18e456128032036796a331e226c5f2c24fcff6d7a03be9aa7887bba2581160b06ffa2527b22bc6320c5e16a689f2e26633d14010c848c54c41c007f450ee

Download Submit
\Users\Admin\AppData\Local\Temp\nso2158.tmp\System.dll

Filesize
10KB

MD5
fe24766ba314f620d57d0cf7339103c0

SHA1
8641545f03f03ff07485d6ec4d7b41cbb898c269

SHA256
802ef71440f662f456bed6283a5ff78066af016897fe6bfd29cac6edc2967bbd

SHA512
60d36959895cebf29c4e7713e6d414980139c7aa4ed1c8c96fefb672c1263af0ce909fb409534355895649c0e8056635112efb0da2ba05694446aec2ca77e2e3

Download Submit
\Users\Admin\AppData\Local\Temp\zwankysearch-stub.exe

Filesize
72KB

MD5
3defdaf228898cd12e4000bec947b256

SHA1
90cb97d8f23c0d69db680a6ecbced55494d53179

SHA256
4c0aeb046e99ba88dce65e1095a441b367c8bce086152b0b7efdc96e963c31a1

SHA512
2d6a2fc4cd33f163b03da79c44adad50d28249504de2f6207b2c6f4773da2f1aa445c4d515a5fc565ce3c381b2003995ff0fa4b7cb45eb3fdf5676e5fbb408db

Download Submit