Overview

overview

7

Static

static

3

c7d8759aa4...0N.exe

windows7-x64

7

c7d8759aa4...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19/08/2024, 03:00 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c7d8759aa4ace09b574bbc60c6b134c0N.exe

  • Size

    464KB

  • MD5

    c7d8759aa4ace09b574bbc60c6b134c0

  • SHA1

    fcdcf9f785657a60d6b0d3e0fe33ef38230eb054

  • SHA256

    3e382558e4d1b1f8fb3c5c34d0c51b123b7b98e5cce1ffb93b9658086261accf

  • SHA512

    66dfca38bb05f884d069480a8f5be78f87be1731f05fa36e55800e381b5bdce537f8676637ddc0fc108d5d2b49d44df250eae47cbc77126bccba65de603ade5e

  • SSDEEP

    12288:5Ilc87eqqV5e+wBV6O+r8DdWikdhEepsBTPs8Uy75Hnu:5ISqqHeVBx22dWZqTP55Hnu

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1188
    • C:\Users\Admin\AppData\Local\Temp\c7d8759aa4ace09b574bbc60c6b134c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\c7d8759aa4ace09b574bbc60c6b134c0N.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2220
      • C:\Users\Admin\AppData\Roaming\tzutcont\MigAdt32.exe
        "C:\Users\Admin\AppData\Roaming\tzutcont"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1412
        • C:\Users\Admin\AppData\Local\Temp\~E070.tmp
          1188 475656 1412 1
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2240
  • C:\Windows\SysWOW64\raspdown.exe
    C:\Windows\SysWOW64\raspdown.exe -s
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:2828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\~E070.tmp
    Filesize

    8KB

    MD5

    86dc243576cf5c7445451af37631eea9

    SHA1

    99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

    SHA256

    25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

    SHA512

    c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

    Download Submit

  • \Users\Admin\AppData\Roaming\tzutcont\MigAdt32.exe
    Filesize

    464KB

    MD5

    3b5f420a17ad7bb5da602d44e716c3d0

    SHA1

    0f0bf6e00b0a0bc2ee5c8b46519cab732c49f2b4

    SHA256

    dbfdcabac87cadb5d79b331285c63bd50ff9c6ffcd35bc2d9b3ea0d6b22ca1d9

    SHA512

    138d755f37ae181ad463af7e047b4884dd1d2cf8aa5bd4c1b71de0d85c5795e0d1c48df2b5ce4e93e27c0effa98064f2a6667fbad9fcc4af3c9736ca4ef2f76c

    Download Submit

  • memory/1188-28-0x00000000025F0000-0x00000000025F6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1188-20-0x0000000004CE0000-0x0000000004D64000-memory.dmp

    Filesize

    528KB

    Download

  • memory/1188-32-0x0000000002620000-0x000000000262D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1188-21-0x0000000004CE0000-0x0000000004D64000-memory.dmp

    Filesize

    528KB

    Download

  • memory/1188-24-0x0000000004CE0000-0x0000000004D64000-memory.dmp

    Filesize

    528KB

    Download

  • memory/1412-16-0x0000000000250000-0x0000000000255000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1412-26-0x0000000000400000-0x000000000047A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/1412-15-0x00000000002E0000-0x000000000035D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/2220-1-0x0000000000220000-0x000000000029D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/2220-5-0x0000000000380000-0x00000000003FA000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2220-0-0x0000000000400000-0x000000000047A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2220-11-0x0000000000380000-0x00000000003FA000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2220-36-0x0000000000400000-0x000000000047A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2220-35-0x0000000000220000-0x000000000029D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/2828-37-0x00000000002E0000-0x000000000035D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/2828-38-0x00000000002E0000-0x000000000035D000-memory.dmp

    Filesize

    500KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.