af2e164b57923f07f5a7faca4597d568ad2f0c41214627ea505d1b31ebfb8c47

Analysis

max time kernel
140s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23-08-2024 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spyd.exe
Size

2.1MB
MD5

49a3a7e562366d8c62fb1bc1fc150f8f
SHA1

1dd689e05ba616a5b4173315a207c93c325c52f2
SHA256

897e08fefb939cf4f5c9a899cb46be157f4c8050f8daa8b9fa01110350b78a7f
SHA512

4be72d6b09558ab72dde732142fd5510119f3bdabd86c5a085646d187b1297b163b08d5b4811e1550d8f759744e2857986b525e0c4f9faef8b440947090b6ca9
SSDEEP

49152:A4UIg4mRiHPKnkc2J+aTnF1UPXkMkgWBh1e5SN0bDR08F:A4sjR0KnpU+a7bYXkpgK0bDRDF

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2200	is-7CJD8.tmp

Loads dropped DLL 3 IoCs

pid	Process
2488	spyd.exe
2200	is-7CJD8.tmp
2200	is-7CJD8.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spyd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-7CJD8.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2200	is-7CJD8.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2200	2488	spyd.exe	29
PID 2488 wrote to memory of 2200	2488	spyd.exe	29
PID 2488 wrote to memory of 2200	2488	spyd.exe	29
PID 2488 wrote to memory of 2200	2488	spyd.exe	29
PID 2488 wrote to memory of 2200	2488	spyd.exe	29
PID 2488 wrote to memory of 2200	2488	spyd.exe	29
PID 2488 wrote to memory of 2200	2488	spyd.exe	29

C:\Users\Admin\AppData\Local\Temp\spyd.exe
"C:\Users\Admin\AppData\Local\Temp\spyd.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\is-KFME5.tmp\is-7CJD8.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KFME5.tmp\is-7CJD8.tmp" /SL4 $40216 C:\Users\Admin\AppData\Local\Temp\spyd.exe 1999512 50688
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-FTNL3.tmp\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-KFME5.tmp\is-7CJD8.tmp

Filesize
588KB

MD5
91d67663e4df642d0b6e864132312eda

SHA1
b30135e2eae9a186fd14884eb5fac8e38f37c9b0

SHA256
e75480cf96537b4bbe8f6ea09519cb0c0a65069cd55d71c55d7a8ce6b2294606

SHA512
d92e77f4311dea800b51e7f9d253f3b3ccae8b3eed5882bfa9006dbb81b5cce3a87b8f2a99725383356ac422ae5dc680e1af9e1517c6e2ac8f6a2dc0db38e34b

Download Submit
memory/2200-15-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2488-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2488-2-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2488-14-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download