fb66144ddaa29d181c28194369ef342bf48404b17bf27f36fee7dfb937966cbe

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dde3683deff8d14d1002043eb34edcd0N.exe
Size

96KB
MD5

dde3683deff8d14d1002043eb34edcd0
SHA1

3aed56c6a47828391faa500e260b3f55d57870cb
SHA256

fb66144ddaa29d181c28194369ef342bf48404b17bf27f36fee7dfb937966cbe
SHA512

855abe9f008b424d75cf6596b7572d86d5f937610555545c20d8690e5e720b05e33d4d6675581471a9d34383e7e81a058da8457ed7d01b9c4d307f05176f52b3
SSDEEP

3072:lbjgjXxdWBhMwRFy2Rk/kcIAebPph/ATvYKyUDI7Lurr:lfAXxd0qf2L/ATvryOI7ar

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1900	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
2824	rMX.exe
1908	rMX.exe.exe

Loads dropped DLL 4 IoCs

pid	Process
2816	dde3683deff8d14d1002043eb34edcd0N.exe
2816	dde3683deff8d14d1002043eb34edcd0N.exe
2592	cmd.exe
2592	cmd.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\WINDOWS\VWFLH\rMX.exe.exe	rMX.exe
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe.exe	rMX.exe
File opened for modification	\??\c:\windows\nk.txt	cmd.exe
File created	C:\WINDOWS\VWFLH\rMX.exe	dde3683deff8d14d1002043eb34edcd0N.exe
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe	dde3683deff8d14d1002043eb34edcd0N.exe
File created	\??\c:\windows\rMX.exe.bat	rMX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dde3683deff8d14d1002043eb34edcd0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rMX.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rMX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2824	2816	dde3683deff8d14d1002043eb34edcd0N.exe	30
PID 2816 wrote to memory of 2824	2816	dde3683deff8d14d1002043eb34edcd0N.exe	30
PID 2816 wrote to memory of 2824	2816	dde3683deff8d14d1002043eb34edcd0N.exe	30
PID 2816 wrote to memory of 2824	2816	dde3683deff8d14d1002043eb34edcd0N.exe	30
PID 2824 wrote to memory of 2956	2824	rMX.exe	31
PID 2824 wrote to memory of 2956	2824	rMX.exe	31
PID 2824 wrote to memory of 2956	2824	rMX.exe	31
PID 2824 wrote to memory of 2956	2824	rMX.exe	31
PID 2824 wrote to memory of 2592	2824	rMX.exe	32
PID 2824 wrote to memory of 2592	2824	rMX.exe	32
PID 2824 wrote to memory of 2592	2824	rMX.exe	32
PID 2824 wrote to memory of 2592	2824	rMX.exe	32
PID 2816 wrote to memory of 2760	2816	dde3683deff8d14d1002043eb34edcd0N.exe	33
PID 2816 wrote to memory of 2760	2816	dde3683deff8d14d1002043eb34edcd0N.exe	33
PID 2816 wrote to memory of 2760	2816	dde3683deff8d14d1002043eb34edcd0N.exe	33
PID 2816 wrote to memory of 2760	2816	dde3683deff8d14d1002043eb34edcd0N.exe	33
PID 2592 wrote to memory of 1908	2592	cmd.exe	37
PID 2592 wrote to memory of 1908	2592	cmd.exe	37
PID 2592 wrote to memory of 1908	2592	cmd.exe	37
PID 2592 wrote to memory of 1908	2592	cmd.exe	37
PID 1908 wrote to memory of 2616	1908	rMX.exe.exe	38
PID 1908 wrote to memory of 2616	1908	rMX.exe.exe	38
PID 1908 wrote to memory of 2616	1908	rMX.exe.exe	38
PID 1908 wrote to memory of 2616	1908	rMX.exe.exe	38
PID 2760 wrote to memory of 1900	2760	cmd.exe	40
PID 2760 wrote to memory of 1900	2760	cmd.exe	40
PID 2760 wrote to memory of 1900	2760	cmd.exe	40
PID 2760 wrote to memory of 1900	2760	cmd.exe	40
PID 2616 wrote to memory of 2360	2616	cmd.exe	41
PID 2616 wrote to memory of 2360	2616	cmd.exe	41
PID 2616 wrote to memory of 2360	2616	cmd.exe	41
PID 2616 wrote to memory of 2360	2616	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\dde3683deff8d14d1002043eb34edcd0N.exe
"C:\Users\Admin\AppData\Local\Temp\dde3683deff8d14d1002043eb34edcd0N.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816
- C:\WINDOWS\VWFLH\rMX.exe
  C:\WINDOWS\VWFLH\rMX.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo 0>>c:\windows\nk.txt
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\WINDOWS\VWFLH\rMX.exe.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\WINDOWS\VWFLH\rMX.exe.exe
      C:\WINDOWS\VWFLH\rMX.exe.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\78.vbs
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\78.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\71.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\71.vbs"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\71.vbs

Filesize
205B

MD5
66f36f6a31f1861d6405488ed1b57052

SHA1
df152baec64197efdffa3435ac4fe4eb5e1dc06c

SHA256
383e930abbd7eb6129dca16f6be8b70367f1a2874798a9efebe8fa4177dc46c1

SHA512
164f1193123c58900eff09e53d35606916b53a8fd56c29038b40232f8a6fdd74a66b6cdc18122f48a88bba09b31a7e048aa78b4e92b1e80e4b48fe44cbf05264

Download Submit
C:\78.vbs

Filesize
162B

MD5
370cd15995e93ff24dd932271b89f68a

SHA1
4aa21f5034879de58e7f5a33310ca64b3ba94624

SHA256
3fd5fe441db7713ec43c5bbafb862bac861dec71f80ca8fbab33490007cb291f

SHA512
26b26805fd88611037152c98abc5b4e779c6d6fae6457c358e2bbd4792800b8e6ac3ee2608e7f539d68c6fb748f06186dab1e5920e1040d374f497345d4b76ab

Download Submit
C:\Windows\VWFLH\rMX.exe.exe

Filesize
96KB

MD5
285c1c2a1ff69ba2f9c4e7b34c05628c

SHA1
8c23ebc1316df6ee3d647b9d1d373cf23bc78bda

SHA256
a1e88073378b4faf0dab8bb659574ad8668ce7b7338c8b24a2f73d4df9476c6c

SHA512
057deb802f28b87836e35ceb64e167ace3569db50d46c53b4f2ec29ac8f0ffca3eed3a9baf0aa45a1e63cfec15a2bdda8f2378b1d06369ab8c0267d0f5109afc

Download Submit
\Windows\VWFLH\rMX.exe

Filesize
96KB

MD5
dde3683deff8d14d1002043eb34edcd0

SHA1
3aed56c6a47828391faa500e260b3f55d57870cb

SHA256
fb66144ddaa29d181c28194369ef342bf48404b17bf27f36fee7dfb937966cbe

SHA512
855abe9f008b424d75cf6596b7572d86d5f937610555545c20d8690e5e720b05e33d4d6675581471a9d34383e7e81a058da8457ed7d01b9c4d307f05176f52b3

Download Submit
memory/1908-33-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/2816-15-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/2824-14-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download