Overview

overview

7

Static

static

3

f73ed2285c...0N.exe

windows7-x64

7

f73ed2285c...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    18-08-2024 15:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f73ed2285c7d5a238bebcef71d7a0c30N.exe

  • Size

    482KB

  • MD5

    f73ed2285c7d5a238bebcef71d7a0c30

  • SHA1

    acaff115fd0d88b668399a78b13c1de6db2e1af2

  • SHA256

    74c8aea534b21648aa52454b9e365129bc20efc47f6714ea4610e64bd343baee

  • SHA512

    9fb9822216bb1a9ada499ed3e39a7601e2782d0474160348762c7762c200c06272d57000a484122c56ac9f12048ab2289fe432faa3d748c45ebf6bce21a26dba

  • SSDEEP

    12288:T3lc87eqqV5e+wBV6O+VkSq9HrwV+6Ix6hFpJBbopMb:T3SqqHeVBxd9Hrw+6Ix6WpMb

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1184
    • C:\Users\Admin\AppData\Local\Temp\f73ed2285c7d5a238bebcef71d7a0c30N.exe
      "C:\Users\Admin\AppData\Local\Temp\f73ed2285c7d5a238bebcef71d7a0c30N.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Users\Admin\AppData\Roaming\mouneown\charnatt.exe
        "C:\Users\Admin\AppData\Roaming\mouneown"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2236
        • C:\Users\Admin\AppData\Local\Temp\~E88B.tmp
          1184 493576 2236 1
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2416
  • C:\Windows\SysWOW64\moundt32.exe
    C:\Windows\SysWOW64\moundt32.exe -s
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:2212

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\~E88B.tmp
    Filesize

    8KB

    MD5

    86dc243576cf5c7445451af37631eea9

    SHA1

    99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

    SHA256

    25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

    SHA512

    c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

    Download Submit

  • \Users\Admin\AppData\Roaming\mouneown\charnatt.exe
    Filesize

    482KB

    MD5

    00da57e63df7a01da30d6cdf83290b5c

    SHA1

    853156622ffd1442b87651fe2777005c72ce0766

    SHA256

    f0266ba752df0ae02e9fd346c05afac28e24d5230ac26180dcfd3aa973156966

    SHA512

    4a54bceb1a8fef84c4c22aef758c48476b24868f1a88ad646bb1bd03ac408c89572d9ffce74452097a8ce1aa59c95385f53a4531ac7bf289c605c02cd1977189

    Download Submit

  • memory/1184-29-0x0000000002A10000-0x0000000002A16000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1184-20-0x00000000040B0000-0x0000000004138000-memory.dmp

    Filesize

    544KB

    Download

  • memory/1184-19-0x00000000040B0000-0x0000000004138000-memory.dmp

    Filesize

    544KB

    Download

  • memory/1184-31-0x0000000002DE0000-0x0000000002DED000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1184-25-0x00000000040B0000-0x0000000004138000-memory.dmp

    Filesize

    544KB

    Download

  • memory/1656-5-0x0000000000490000-0x0000000000512000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1656-0-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1656-36-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1656-1-0x0000000000310000-0x0000000000391000-memory.dmp

    Filesize

    516KB

    Download

  • memory/1656-34-0x0000000000310000-0x0000000000391000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2212-35-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2236-15-0x00000000002D0000-0x00000000002D5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2236-24-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2236-14-0x0000000000220000-0x00000000002A1000-memory.dmp

    Filesize

    516KB

    Download