Overview

overview

7

Static

static

3

3b79514bd6...0N.exe

windows7-x64

6

3b79514bd6...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 05:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b79514bd6363e670f982a9f55daa070N.exe

  • Size

    179KB

  • MD5

    3b79514bd6363e670f982a9f55daa070

  • SHA1

    1dc003d4c75e13ff325dee8161e97011792141a4

  • SHA256

    c46400e9c40c1a5e68fe2b148e716f09448ed0626072129db27e766192d33bb9

  • SHA512

    27c1d44fa34bd252fdf548d5f43640ba7cfb32ff94efd514a6d2b7e18e0049dd5db102bbb37154c73cc87961f98bcdec23e1840a0e09e1f01fe5580f54110bc6

  • SSDEEP

    3072:DXTTASJKf2n5AxE2NpxOa2XdU2QF4s5XgIDFyHb8kHofL/09rGB:DvASJKenie2xT2NU2OTFQb8Fb0IB

Score
6/10
discoverypersistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks for any installed AV software in registry 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b79514bd6363e670f982a9f55daa070N.exe
    "C:\Users\Admin\AppData\Local\Temp\3b79514bd6363e670f982a9f55daa070N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1824
    • C:\Windows\SysWOW64\svchost.exe
      C:\ProgramData\fd2280fj0.exe
      2⤵
      • Adds Run key to start application
      • Checks for any installed AV software in registry
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2744
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\ProgramData\fdrCF9.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\3b79514bd6363e670f982a9f55daa070N.exe""
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1352

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\fdrCF9.tmp.bat
    Filesize

    34B

    MD5

    3b87b99800f3b6d48f2abc3fc41d4711

    SHA1

    cc4ce6fa07572c9d5cbca0938d973666442d1de9

    SHA256

    dd8f9cecc9113f484f8176686c3483cc51e49169dd790112d5a989f0f3e43c81

    SHA512

    80109888851a497adda70fc89fe137d80d85f8c5b379de3256679a0234032e206dfdc127b0539c52fe0e590c7a6b552ee2e6a897f10f4c7fd2291eaca9ba1d7f

    Download Submit

  • memory/1824-0-0x0000000000850000-0x0000000000880000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1824-303-0x0000000000850000-0x0000000000880000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2744-11-0x00000000002A0000-0x0000000000316000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2744-301-0x00000000002A0000-0x0000000000316000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2744-4-0x00000000002A0000-0x0000000000316000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2744-10-0x00000000002A0000-0x0000000000316000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2744-9-0x00000000002A0000-0x0000000000316000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2744-8-0x00000000002A0000-0x0000000000316000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2744-6-0x00000000002A0000-0x0000000000316000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2744-5-0x00000000002A0000-0x0000000000316000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2744-2-0x00000000000D0000-0x00000000000D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2744-7-0x00000000002A0000-0x0000000000316000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2744-305-0x00000000002A0000-0x0000000000316000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2744-304-0x0000000000350000-0x0000000000450000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2744-3-0x00000000000D0000-0x00000000000D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2744-307-0x00000000002A0000-0x0000000000316000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2744-310-0x00000000002A0000-0x0000000000316000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2744-311-0x00000000002A0000-0x0000000000316000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2744-314-0x00000000002A0000-0x0000000000316000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2744-318-0x00000000002A0000-0x0000000000316000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2744-319-0x00000000002A0000-0x0000000000316000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2744-325-0x0000000000350000-0x0000000000450000-memory.dmp

    Filesize

    1024KB

    Download