Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    24/08/2024, 21:57

General

  • Target

    35e70875e812ac8383c01c66741805e0N.exe

  • Size

    2.7MB

  • MD5

    35e70875e812ac8383c01c66741805e0

  • SHA1

    a2ef611c57ce7e7ac29dc652d01225cf69734033

  • SHA256

    f853651eef774acb0e4ad3104cc1aedd2630c1b17388cd0496b5f97831d0fd9b

  • SHA512

    606904076e4d70f26f2d24819575083857fd2ab6998a2a90eb2564afd700998d03e0d0a6afad116ead63f702599ff3ab876bbeee730125cd1d27e13a118a4711

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBA9w4Sx:+R0pI/IQlUoMPdmpSpO4

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\35e70875e812ac8383c01c66741805e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\35e70875e812ac8383c01c66741805e0N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:948
    • C:\FilesD2\xbodloc.exe
      C:\FilesD2\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2072

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\KaVBRL\optiaec.exe

    Filesize

    55KB

    MD5

    f4f6f7cf635a7dc89cf2de93aaf23cf0

    SHA1

    d27865a539055547390b30b0c05434ff8abb1f6c

    SHA256

    e97cc6b9ec92514e388bf7a36e238e203cdbb8c9c32c6fd05808d83c03a682b1

    SHA512

    20ce5f12a6eaafe9840990d5e3c1381ed4bbc59bfe8815ef41de64b85631577032340b71f65c8c119b3cdde94a7f8510a98199b7db97b709ae9e584ffafd8955

  • C:\KaVBRL\optiaec.exe

    Filesize

    2.7MB

    MD5

    46b809a78ebf02d8ebdf095281c1dcc2

    SHA1

    13c49e4b8b88561211d27764c1a5f2a54df803a6

    SHA256

    9d7093b2cf7d56a08c5452589479987b6cca45c25d6b7e772428e70992f59ed7

    SHA512

    3b7ee5f34f9dd158e564a21772f8a1794495365d6b3d4e8d65784ed41119cff87ae7204a8bd3404f5024ec4ef702fc199508604e1cf0e2f872aed4a19f943340

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    200B

    MD5

    7b1e6bdb5d0d1fcaf188495e82f9560c

    SHA1

    65ae3bf06f42334c4f333fd32eaf84792f393a52

    SHA256

    a25458ff5763ed6fb2fcf02e6921e3c4d7bf75a4eee1eea52e5a32be31abdc22

    SHA512

    83e74d9ff5d22b05f949504c2d9c5032eb9994f8119f84f41175b176799020f7c98efaa8e5c96d68ba2f3f21056cbb7c8afaa627ff9efda0ee506949666b870f

  • \FilesD2\xbodloc.exe

    Filesize

    2.7MB

    MD5

    d1aeb225d2087a77d3d9b8bd7dcf96c2

    SHA1

    a6e6833479892c556357ed40a80cf5effb21118e

    SHA256

    ce30808819d88557655e041d7c29bd33175e8fccda355694015afddd80906c6d

    SHA512

    fe18ba555d324bd4b90ff539dac8e2c3e4e2371db784e89a1f8c356661e4dd6c8934986726138ec156f7575c040104e4f98847693fdc5815e6f224d705ee8426