21e7e777534d3bdac1d49e8283ce0d0c28c229962fe571f53389a00c79a17f8f

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 02:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

def7cd96d074f74c01a24a7544dd49a0N.exe
Size

448KB
MD5

def7cd96d074f74c01a24a7544dd49a0
SHA1

492f4b3e7a85b690f3d29c110c5b890657b2ef34
SHA256

21e7e777534d3bdac1d49e8283ce0d0c28c229962fe571f53389a00c79a17f8f
SHA512

290d796220c089b5fbd623de04f8bc7426e2ed4f0895f562b28e957b71e4480ea732bc620e97f3e6919cb584a74e943564fee987d80168ffd431a057f903988a
SSDEEP

6144:PJKtxV5dhmR8GSTiMIDNrV5DSxXySkEjiPISUOgW9X+hOGzC/NM:PJKtxV5dhmR8pTmZbsXPkmZzcukG2/

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2272	CJMIYWM.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\CJMIYWM.exe	def7cd96d074f74c01a24a7544dd49a0N.exe
File opened for modification	C:\windows\CJMIYWM.exe	def7cd96d074f74c01a24a7544dd49a0N.exe
File created	C:\windows\CJMIYWM.exe.bat	def7cd96d074f74c01a24a7544dd49a0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	def7cd96d074f74c01a24a7544dd49a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CJMIYWM.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2972	def7cd96d074f74c01a24a7544dd49a0N.exe
2272	CJMIYWM.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2972	def7cd96d074f74c01a24a7544dd49a0N.exe
2972	def7cd96d074f74c01a24a7544dd49a0N.exe
2272	CJMIYWM.exe
2272	CJMIYWM.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2076	2972	def7cd96d074f74c01a24a7544dd49a0N.exe	29
PID 2972 wrote to memory of 2076	2972	def7cd96d074f74c01a24a7544dd49a0N.exe	29
PID 2972 wrote to memory of 2076	2972	def7cd96d074f74c01a24a7544dd49a0N.exe	29
PID 2972 wrote to memory of 2076	2972	def7cd96d074f74c01a24a7544dd49a0N.exe	29
PID 2076 wrote to memory of 2272	2076	cmd.exe	31
PID 2076 wrote to memory of 2272	2076	cmd.exe	31
PID 2076 wrote to memory of 2272	2076	cmd.exe	31
PID 2076 wrote to memory of 2272	2076	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\def7cd96d074f74c01a24a7544dd49a0N.exe
"C:\Users\Admin\AppData\Local\Temp\def7cd96d074f74c01a24a7544dd49a0N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\CJMIYWM.exe.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\windows\CJMIYWM.exe
    C:\windows\CJMIYWM.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\CJMIYWM.exe.bat

Filesize
60B

MD5
c25ee458c2198d50ab8b0a95eecaea19

SHA1
4b2b91f477a71c5448db0a420d4ff518737ec187

SHA256
422ed71fca68e7c4b13d8023650fd8e86aad27ffd78a0ad74a7f4b5c74376819

SHA512
544d775a7678678d9e93c64eb7a2d6448f1fea82c742b935c7118657506d638b833206cb8ffe042b37a49a5c5e54b0284128787fcb7ee73a80e101d7b3ae3e35

Download Submit
C:\windows\CJMIYWM.exe

Filesize
448KB

MD5
32377fc5f7e4b548956858c7eb4b863c

SHA1
c7f9edc87c7d30b4aa514f735870870468ffc1e3

SHA256
23b135f54e39287132c335b97c7f7b8a633d78b8069da0363ce42a34565e4c25

SHA512
91d983fe5fd97ababf537395a13716e54bb34c90a7c207da363636a10dab9b4d1038c06cc998aa40e73d545b79c58b00836ab0e3668c51a684d48f850b20fa74

Download Submit
memory/2076-15-0x0000000000340000-0x0000000000379000-memory.dmp

Filesize
228KB

Download
memory/2076-17-0x0000000000340000-0x0000000000379000-memory.dmp

Filesize
228KB

Download
memory/2272-18-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2972-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2972-12-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download