3e382558e4d1b1f8fb3c5c34d0c51b123b7b98e5cce1ffb93b9658086261accf

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7d8759aa4ace09b574bbc60c6b134c0N.exe
Size

464KB
MD5

c7d8759aa4ace09b574bbc60c6b134c0
SHA1

fcdcf9f785657a60d6b0d3e0fe33ef38230eb054
SHA256

3e382558e4d1b1f8fb3c5c34d0c51b123b7b98e5cce1ffb93b9658086261accf
SHA512

66dfca38bb05f884d069480a8f5be78f87be1731f05fa36e55800e381b5bdce537f8676637ddc0fc108d5d2b49d44df250eae47cbc77126bccba65de603ade5e
SSDEEP

12288:5Ilc87eqqV5e+wBV6O+r8DdWikdhEepsBTPs8Uy75Hnu:5ISqqHeVBx22dWZqTP55Hnu

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1412	MigAdt32.exe
2240	~E070.tmp
2828	raspdown.exe

Loads dropped DLL 3 IoCs

pid	Process
2220	c7d8759aa4ace09b574bbc60c6b134c0N.exe
2220	c7d8759aa4ace09b574bbc60c6b134c0N.exe
1412	MigAdt32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\raspdown = "C:\\Users\\Admin\\AppData\\Roaming\\tzutcont\\MigAdt32.exe"	c7d8759aa4ace09b574bbc60c6b134c0N.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\raspdown.exe	c7d8759aa4ace09b574bbc60c6b134c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7d8759aa4ace09b574bbc60c6b134c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MigAdt32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	raspdown.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1412	MigAdt32.exe
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1412	MigAdt32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1412	2220	c7d8759aa4ace09b574bbc60c6b134c0N.exe	31
PID 2220 wrote to memory of 1412	2220	c7d8759aa4ace09b574bbc60c6b134c0N.exe	31
PID 2220 wrote to memory of 1412	2220	c7d8759aa4ace09b574bbc60c6b134c0N.exe	31
PID 2220 wrote to memory of 1412	2220	c7d8759aa4ace09b574bbc60c6b134c0N.exe	31
PID 1412 wrote to memory of 2240	1412	MigAdt32.exe	32
PID 1412 wrote to memory of 2240	1412	MigAdt32.exe	32
PID 1412 wrote to memory of 2240	1412	MigAdt32.exe	32
PID 1412 wrote to memory of 2240	1412	MigAdt32.exe	32
PID 2240 wrote to memory of 1188	2240	~E070.tmp	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1188
- C:\Users\Admin\AppData\Local\Temp\c7d8759aa4ace09b574bbc60c6b134c0N.exe
  "C:\Users\Admin\AppData\Local\Temp\c7d8759aa4ace09b574bbc60c6b134c0N.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Users\Admin\AppData\Roaming\tzutcont\MigAdt32.exe
    "C:\Users\Admin\AppData\Roaming\tzutcont"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Users\Admin\AppData\Local\Temp\~E070.tmp
      1188 475656 1412 1
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2240

C:\Windows\SysWOW64\raspdown.exe
C:\Windows\SysWOW64\raspdown.exe -s
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~E070.tmp

Filesize
8KB

MD5
86dc243576cf5c7445451af37631eea9

SHA1
99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

SHA256
25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

SHA512
c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

Download Submit
\Users\Admin\AppData\Roaming\tzutcont\MigAdt32.exe

Filesize
464KB

MD5
3b5f420a17ad7bb5da602d44e716c3d0

SHA1
0f0bf6e00b0a0bc2ee5c8b46519cab732c49f2b4

SHA256
dbfdcabac87cadb5d79b331285c63bd50ff9c6ffcd35bc2d9b3ea0d6b22ca1d9

SHA512
138d755f37ae181ad463af7e047b4884dd1d2cf8aa5bd4c1b71de0d85c5795e0d1c48df2b5ce4e93e27c0effa98064f2a6667fbad9fcc4af3c9736ca4ef2f76c

Download Submit
memory/1188-28-0x00000000025F0000-0x00000000025F6000-memory.dmp

Filesize
24KB

Download
memory/1188-20-0x0000000004CE0000-0x0000000004D64000-memory.dmp

Filesize
528KB

Download
memory/1188-32-0x0000000002620000-0x000000000262D000-memory.dmp

Filesize
52KB

Download
memory/1188-21-0x0000000004CE0000-0x0000000004D64000-memory.dmp

Filesize
528KB

Download
memory/1188-24-0x0000000004CE0000-0x0000000004D64000-memory.dmp

Filesize
528KB

Download
memory/1412-16-0x0000000000250000-0x0000000000255000-memory.dmp

Filesize
20KB

Download
memory/1412-26-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1412-15-0x00000000002E0000-0x000000000035D000-memory.dmp

Filesize
500KB

Download
memory/2220-1-0x0000000000220000-0x000000000029D000-memory.dmp

Filesize
500KB

Download
memory/2220-5-0x0000000000380000-0x00000000003FA000-memory.dmp

Filesize
488KB

Download
memory/2220-0-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2220-11-0x0000000000380000-0x00000000003FA000-memory.dmp

Filesize
488KB

Download
memory/2220-36-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2220-35-0x0000000000220000-0x000000000029D000-memory.dmp

Filesize
500KB

Download
memory/2828-37-0x00000000002E0000-0x000000000035D000-memory.dmp

Filesize
500KB

Download
memory/2828-38-0x00000000002E0000-0x000000000035D000-memory.dmp

Filesize
500KB

Download