364d5f7c22b563605a1e0cf3dc36adfd0efa3d3be2606c45ffa7fbc2a7d3151b

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc0885eba0c879235bed533a6f0f7090N.exe
Size

208KB
MD5

fc0885eba0c879235bed533a6f0f7090
SHA1

28f117ede24743638a466b6e1cbb470c15019557
SHA256

364d5f7c22b563605a1e0cf3dc36adfd0efa3d3be2606c45ffa7fbc2a7d3151b
SHA512

dda3f02ca39421962b9e127556e7503503ccb6f324e687846fa89995de89cea4cc7ad5e772ece0102422efe8c4eb43c56017f2d58311901005072ce436d55c95
SSDEEP

6144:arYTgEMnRNLPI3YHB9/vMYRbbdfHKuQEj:OBEIjU8IuQ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2416	IFV.exe

Loads dropped DLL 2 IoCs

pid	Process
2816	cmd.exe
2816	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\system\IFV.exe	fc0885eba0c879235bed533a6f0f7090N.exe
File opened for modification	C:\windows\system\IFV.exe	fc0885eba0c879235bed533a6f0f7090N.exe
File created	C:\windows\system\IFV.exe.bat	fc0885eba0c879235bed533a6f0f7090N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc0885eba0c879235bed533a6f0f7090N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IFV.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2204	fc0885eba0c879235bed533a6f0f7090N.exe
2416	IFV.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2204	fc0885eba0c879235bed533a6f0f7090N.exe
2204	fc0885eba0c879235bed533a6f0f7090N.exe
2416	IFV.exe
2416	IFV.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2816	2204	fc0885eba0c879235bed533a6f0f7090N.exe	30
PID 2204 wrote to memory of 2816	2204	fc0885eba0c879235bed533a6f0f7090N.exe	30
PID 2204 wrote to memory of 2816	2204	fc0885eba0c879235bed533a6f0f7090N.exe	30
PID 2204 wrote to memory of 2816	2204	fc0885eba0c879235bed533a6f0f7090N.exe	30
PID 2816 wrote to memory of 2416	2816	cmd.exe	32
PID 2816 wrote to memory of 2416	2816	cmd.exe	32
PID 2816 wrote to memory of 2416	2816	cmd.exe	32
PID 2816 wrote to memory of 2416	2816	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\fc0885eba0c879235bed533a6f0f7090N.exe
"C:\Users\Admin\AppData\Local\Temp\fc0885eba0c879235bed533a6f0f7090N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system\IFV.exe.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\windows\system\IFV.exe
    C:\windows\system\IFV.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\IFV.exe

Filesize
208KB

MD5
9b7d6795fc5d7c198754a4cd5adbf338

SHA1
b6318b735e32bccd99e6dc28ff5180644eca1869

SHA256
6992cf51682237a94e2928fc31d0b571f0967301b6ca6dc0ebe88e0d60bef985

SHA512
3424d0b48523fb22dd890e2b8132b8bbec058087cd38e1935573b8c1c4890168e21571098a36f976e9edc2c09f6d148319b6c45b228dce61e4e0e97608001607

Download Submit
C:\Windows\system\IFV.exe.bat

Filesize
66B

MD5
1ce635c916da06858d1e2938d56af75e

SHA1
379afca4e5b7e3b92973612c1e67e31f58e32ae2

SHA256
b57ef5c5beb3bc060b6132c751d137b318d4b1c70900e50840f4e52bb1d5501a

SHA512
759ffff2c3b5385fe7a7e2d716e1c2b85ec5cd6c884a5cf42e90341a6167d48a96c8ab8b71d1b7664ad7b6df5f56f7e1139e4f6be171bdf5d617cc14428c46f0

Download Submit
memory/2204-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2204-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2416-18-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2416-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download