Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    19/08/2024, 02:51

General

  • Target

    ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe

  • Size

    839KB

  • MD5

    803f39a10c4016eac37d86cd4b5e47c9

  • SHA1

    2f3b456b5d398c45c912a7d7240830114db31572

  • SHA256

    ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42

  • SHA512

    cf4354345c612c56e2aac2719199fdeddda8f8c98556280aede08a40601fbda46d87a05ec96bbaa2bb06ee120a77adacc3ce87b82eb85607d23a7cf83696b932

  • SSDEEP

    12288:E8kxNhOZElO5kkWjhD4AI/GtAtScw3qEKBaGtAtScw3qEKB:7qEkfFP145J145

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 34 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 17 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
    "C:\Users\Admin\AppData\Local\Temp\ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Program Files (x86)\JVRZX.EXE
      "C:\Program Files (x86)\JVRZX.EXE"
      2⤵
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\IZVN.EXE

    Filesize

    839KB

    MD5

    f3f30a183132353a9276ebfb914998df

    SHA1

    7300d4f3463c7915f87be9b4aee65915c9b08844

    SHA256

    df99beebb19643e82afdaea0dc3f6e641bc6f93bba10bacc2c8e1a20691a9f20

    SHA512

    2da08c7fc93dd4e8ed4342355f31c7f8a633030975d44f2615a7d86888937f7477b977cbcc7267928fcb4d386ff02de50a5d4f581323f0ff68da25363cefcae8

  • \??\c:\filedebug

    Filesize

    276B

    MD5

    2b88a9887dc926923d5411848e6ac198

    SHA1

    d21b70f60c5fc12621ac1b1f1e4238689e00c25a

    SHA256

    3ee007b010e77aedde465a1ff9e9962624c5b40e902651820318588259a48c22

    SHA512

    eac11a6c57ef6471ec10e85ca2cd52f0acf93cc79509cdd17d09d324a5447216c45453c586abd4ad1fb34ea992df109f15aa15d26c2e4cadec80dbf171f43950

  • \Program Files (x86)\JVRZX.EXE

    Filesize

    839KB

    MD5

    d2a2ed2af6b3f85e7459552c175f9250

    SHA1

    ddc3634193e682f8d9bb2daf19a1ed234df73a94

    SHA256

    b364e9999be15f46cdbbfe776cf4e858f11cc46006b4a9504b31696ae500fa18

    SHA512

    0a1bf4cf4441a3bd3dc8ded22e9789dcc7c3dee0ad88f4e236f4d7a514da13047cb8afc49ea2d1ddbc2824414b9d7e48f4ff28d2b5a62859485cc5b035b3b6e7

  • memory/2108-0-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2108-1-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2108-22-0x0000000000350000-0x00000000003C0000-memory.dmp

    Filesize

    448KB

  • memory/2108-29-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2916-28-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2916-30-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB