Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 09:34

General

  • Target

    6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe

  • Size

    8.2MB

  • MD5

    7212283e1556c634629917b01de6f817

  • SHA1

    321fd880d3ab4fadb36e9b512aed760de0f2e6bd

  • SHA256

    6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9

  • SHA512

    c6c688ebdec6eeee59c8b84066a3a3a18934b17d56cba5e2e8d2e7a38d099382ec9887af8024115a090405c7d3a7d9248759b75e481656d1e9a94d68f0e98da8

  • SSDEEP

    98304:6nHKrVhknxx8ujLWFghGdkXC/2rF2Uf3LRBYZAIGVzArOSqeDalc6d:frmLQG2WRS8c9BDal

Score
7/10

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe
    "C:\Users\Admin\AppData\Local\Temp\6c2c5d0bb0277ae084ba6053a630a951d6ffa2de524cb6b8a133f5f25d1410b9.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c netstat -an
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2248
      • C:\Windows\SysWOW64\NETSTAT.EXE
        netstat -an
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        • Suspicious use of AdjustPrivilegeToken
        PID:2824
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c netstat -an
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\SysWOW64\NETSTAT.EXE
        netstat -an
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        • Suspicious use of AdjustPrivilegeToken
        PID:2828
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\Del.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\delay.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3048

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Del.bat

    Filesize

    163B

    MD5

    da117a17f814b5d1a13c2e7f2e6a794e

    SHA1

    b94bde235c53c3947a9dd094a30aef626bf4dace

    SHA256

    17b890eaf7b4af3ad68a9f9e55081c8c576b10061c3709917e29d47ec421089b

    SHA512

    87eb8958b1d3ce6241feafdd1e84d635b695597061dbb0a62249c1948952149c32091ce15dac66f0da930e764b145e08d9573e9d067a11a062de2fff46dacb7e

  • C:\Users\Admin\AppData\Local\Temp\delay.vbs

    Filesize

    18B

    MD5

    5ccc803b59fdbcdea8fd7510e8d0fc04

    SHA1

    934485e70bf33c0860d346c92f85231be6dbc606

    SHA256

    56dbbffa3c9452f514e5f85f589cd8ee557ddd79283c3456bb37296c482d4631

    SHA512

    a0229aba0a6fda2f9edd6c363b5de5eae1da0f3e04b687ac893cc6f01cde7d969799333b576b0277363339906570ef33f30f5b3f6738cf16a5f49316fde9a642

  • \Users\Admin\AppData\Local\Temp\E2EECore.2.7.2.dll

    Filesize

    8.4MB

    MD5

    8b6c94bbdbfb213e94a5dcb4fac28ce3

    SHA1

    b56102ca4f03556f387f8b30e2b404efabe0cb65

    SHA256

    982a177924762f270b36fe34c7d6847392b48ae53151dc2011078dceef487a53

    SHA512

    9d6d63b5d8cf7a978d7e91126d7a343c2f7acd00022da9d692f63e50835fdd84a59a93328564f10622f2b1f6adfd7febdd98b8ddb294d0754ed45cc9c165d25a

  • memory/2780-13-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

  • memory/2780-82-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB