d18d726669773dec9df709c430a1bf661b7f254dee199b804d9c65efddfbf679

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d18d726669773dec9df709c430a1bf661b7f254dee199b804d9c65efddfbf679.exe
Size

885KB
MD5

384c96211034e44fdafc7b03fb78f358
SHA1

6b529b7f6c1379b40c5b0565a2634cb1031a5964
SHA256

d18d726669773dec9df709c430a1bf661b7f254dee199b804d9c65efddfbf679
SHA512

4394c2228bab358bf77a821d42088d152e50bcfbfb47127c3810b9fe03ed2c60b7258f1c0742833dbd9cdaa6c9a14e13d63c8fbde62b77bebf6bdd1ae471db5c
SSDEEP

24576:MJ4SWyTT1vuPu9b/cglhYX/LDaoMerhmt:MJdwPObnYjDaxerQ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2640	PIHZ82ui8l.exe
2976	Xh25ZHZ2Me.exe

Loads dropped DLL 2 IoCs

pid	Process
2732	RegAsm.exe
2732	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2696 set thread context of 2732	2696	d18d726669773dec9df709c430a1bf661b7f254dee199b804d9c65efddfbf679.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d18d726669773dec9df709c430a1bf661b7f254dee199b804d9c65efddfbf679.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1412	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1412	PING.EXE

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe
2976	Xh25ZHZ2Me.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2976	Xh25ZHZ2Me.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2732	2696	d18d726669773dec9df709c430a1bf661b7f254dee199b804d9c65efddfbf679.exe	30
PID 2696 wrote to memory of 2732	2696	d18d726669773dec9df709c430a1bf661b7f254dee199b804d9c65efddfbf679.exe	30
PID 2696 wrote to memory of 2732	2696	d18d726669773dec9df709c430a1bf661b7f254dee199b804d9c65efddfbf679.exe	30
PID 2696 wrote to memory of 2732	2696	d18d726669773dec9df709c430a1bf661b7f254dee199b804d9c65efddfbf679.exe	30
PID 2696 wrote to memory of 2732	2696	d18d726669773dec9df709c430a1bf661b7f254dee199b804d9c65efddfbf679.exe	30
PID 2696 wrote to memory of 2732	2696	d18d726669773dec9df709c430a1bf661b7f254dee199b804d9c65efddfbf679.exe	30
PID 2696 wrote to memory of 2732	2696	d18d726669773dec9df709c430a1bf661b7f254dee199b804d9c65efddfbf679.exe	30
PID 2696 wrote to memory of 2732	2696	d18d726669773dec9df709c430a1bf661b7f254dee199b804d9c65efddfbf679.exe	30
PID 2696 wrote to memory of 2732	2696	d18d726669773dec9df709c430a1bf661b7f254dee199b804d9c65efddfbf679.exe	30
PID 2696 wrote to memory of 2732	2696	d18d726669773dec9df709c430a1bf661b7f254dee199b804d9c65efddfbf679.exe	30
PID 2696 wrote to memory of 2732	2696	d18d726669773dec9df709c430a1bf661b7f254dee199b804d9c65efddfbf679.exe	30
PID 2696 wrote to memory of 2732	2696	d18d726669773dec9df709c430a1bf661b7f254dee199b804d9c65efddfbf679.exe	30
PID 2696 wrote to memory of 2732	2696	d18d726669773dec9df709c430a1bf661b7f254dee199b804d9c65efddfbf679.exe	30
PID 2696 wrote to memory of 2732	2696	d18d726669773dec9df709c430a1bf661b7f254dee199b804d9c65efddfbf679.exe	30
PID 2732 wrote to memory of 2976	2732	RegAsm.exe	32
PID 2732 wrote to memory of 2976	2732	RegAsm.exe	32
PID 2732 wrote to memory of 2976	2732	RegAsm.exe	32
PID 2732 wrote to memory of 2976	2732	RegAsm.exe	32
PID 2976 wrote to memory of 2272	2976	Xh25ZHZ2Me.exe	35
PID 2976 wrote to memory of 2272	2976	Xh25ZHZ2Me.exe	35
PID 2976 wrote to memory of 2272	2976	Xh25ZHZ2Me.exe	35
PID 2272 wrote to memory of 2520	2272	cmd.exe	37
PID 2272 wrote to memory of 2520	2272	cmd.exe	37
PID 2272 wrote to memory of 2520	2272	cmd.exe	37
PID 2272 wrote to memory of 1412	2272	cmd.exe	38
PID 2272 wrote to memory of 1412	2272	cmd.exe	38
PID 2272 wrote to memory of 1412	2272	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\d18d726669773dec9df709c430a1bf661b7f254dee199b804d9c65efddfbf679.exe
"C:\Users\Admin\AppData\Local\Temp\d18d726669773dec9df709c430a1bf661b7f254dee199b804d9c65efddfbf679.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Roaming\PIHZ82ui8l.exe
    "C:\Users\Admin\AppData\Roaming\PIHZ82ui8l.exe"
    3⤵
    - Executes dropped EXE
    PID:2640
- - C:\Users\Admin\AppData\Roaming\Xh25ZHZ2Me.exe
    "C:\Users\Admin\AppData\Roaming\Xh25ZHZ2Me.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2520
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat

Filesize
177B

MD5
4c5cc8fad2a255b2d90a5f6b85ab71a1

SHA1
e34ddffed37398857059b80d526915eb3d4ed126

SHA256
8611f34269f6f70c5c4fbf3a5e48a0460a7b1ec9dd6aca59b78be6e8a250cb66

SHA512
01e1fc571d8da37700df996ee31bc28f1fb7d810222b9ddf899de70bc6319f0d1ee5085fea20c8bc62c9544043b81162fbb4b97714f6a04a573bb06b13838ecc

Download Submit
C:\Users\Admin\AppData\Roaming\PIHZ82ui8l.exe

Filesize
18KB

MD5
f3edff85de5fd002692d54a04bcb1c09

SHA1
4c844c5b0ee7cb230c9c28290d079143e00cb216

SHA256
caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131

SHA512
531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d

Download Submit
\Users\Admin\AppData\Roaming\Xh25ZHZ2Me.exe

Filesize
625KB

MD5
333d2f74ba9f68db202790b5b21923de

SHA1
b8ada76eaaf8bfa5f256552035ba8e84bfa892c8

SHA256
7526e43bb967b29c8a3afbb4ae23a86184f5eadf4279dace89c18946b2e63a9e

SHA512
79424cf55c8bf8b1c978e004fd62bd09f223934b1a9b59fabf67a3ffee09df9a41b0bb83cb7ddc86e188babcc003bbd2b6344770474c8c84127ff80972ad51f7

Download Submit
memory/2696-1-0x0000000001320000-0x00000000013FE000-memory.dmp

Filesize
888KB

Download
memory/2696-22-0x0000000074180000-0x000000007486E000-memory.dmp

Filesize
6.9MB

Download
memory/2696-0-0x000000007418E000-0x000000007418F000-memory.dmp

Filesize
4KB

Download
memory/2732-20-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2732-3-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2732-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2732-13-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2732-9-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2732-7-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2732-5-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2732-16-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2732-18-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2732-23-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2732-36-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2732-38-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2732-11-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2976-41-0x0000000000390000-0x00000000003A8000-memory.dmp

Filesize
96KB

Download
memory/2976-43-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2976-39-0x0000000000E00000-0x0000000000EA2000-memory.dmp

Filesize
648KB

Download