Overview

overview

7

Static

static

3

7f5807833b...0N.exe

windows7-x64

7

7f5807833b...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/08/2024, 01:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7f5807833be0e855eccdef3320d43440N.exe

  • Size

    191KB

  • MD5

    7f5807833be0e855eccdef3320d43440

  • SHA1

    ebc8320a69f14ed66b0cb5ca1adabd2ce224e65f

  • SHA256

    0fcb21ac21f8d2254ada9cae1e29f6f806c7c24d5febb6510787bb6524a40a03

  • SHA512

    1f7cb58500ff2b9226c411199aeeea03b9d7066b752b70defd57ac7e98accf913f30faea883c4f388878e797463a6c7e579133809f38de9ce25174e548c48feb

  • SSDEEP

    3072:wAKEsYqqjfipJWYpWJZfGXFxUYyaJC6sOMD5Qjj9jRMKSlJ8subptbbG+X:DKE+qjfipJWYpWJZfGXFRJJRsOM9+j5L

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 14 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f5807833be0e855eccdef3320d43440N.exe
    "C:\Users\Admin\AppData\Local\Temp\7f5807833be0e855eccdef3320d43440N.exe"
    1⤵
    • Enumerates connected drives
    • Maps connected drives based on registry
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\ProgramData\UserRuntime\stdole.exe
      "C:\ProgramData\UserRuntime\stdole.exe" 1
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Maps connected drives based on registry
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4652
      • C:\Users\Admin\AppData\Roaming\UserRuntime\stdole.exe
        "C:\Users\Admin\AppData\Roaming\UserRuntime\stdole.exe" 1
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Maps connected drives based on registry
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:3824
    • C:\ProgramData\UserRuntime\stdole.exe
      "C:\ProgramData\UserRuntime\stdole.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Maps connected drives based on registry
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\ProgramData\UserRuntime\stdole.exe
        "C:\ProgramData\UserRuntime\stdole.exe" 1
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Maps connected drives based on registry
        • System Location Discovery: System Language Discovery
        PID:3740
  • C:\ProgramData\UserRuntime\stdole.exe
    C:\ProgramData\UserRuntime\stdole.exe
    1⤵
    • Executes dropped EXE
    • Enumerates connected drives
    • Maps connected drives based on registry
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4044
    • C:\ProgramData\UserRuntime0\stdole.exe
      "C:\ProgramData\UserRuntime0\stdole.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Maps connected drives based on registry
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:1464

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\UserRuntime0\awdak.drv
    Filesize

    2KB

    MD5

    90a067318a9fdf33d01e71642eb8e07f

    SHA1

    43fea3a1c3c8bd180126c0a620fb909ef7beafdc

    SHA256

    37eb6cba5ef47cf33ddafaa33423e4b2fac3ea29a1e9ca718d93b4063ce36e69

    SHA512

    09b99eca262b137e2ea5c897dae6b4ca4e90924230785a04a375de4d80f50ebc065e1be3c26fcf2b6fbb1303bc1b4aa634790e7a78614885a5a35865f05a5d9d

    Download Submit

  • C:\ProgramData\UserRuntime0\gao\duixadaton.mui
    Filesize

    7KB

    MD5

    b929a6652501cec40d562b1238ee47db

    SHA1

    450cafe1d6522f2690d606e48b8c6bfa2e899ceb

    SHA256

    63e8b9cbe32880711cf0f643af9940ee78c8b0b3a33e742c6d2d02186c6aae05

    SHA512

    624d1bdb021f6f2b2ef00d91635b41b35de6a593cdf3dd91734cbcdcbe0217a4342a4cca9b70567384e2317e5ae12371f5f6edb3d72c7e4750d024faa8eb96a2

    Download Submit

  • C:\ProgramData\UserRuntime0\gao\garaipaxp.dat
    Filesize

    4KB

    MD5

    2a913a247b903ac299f621ba62c5d092

    SHA1

    0e4f95779b6ee312ea2336e6f769efa7286e65db

    SHA256

    9dc7af8bd9b68e033bcd8b9a96cb907b147c0cdc6122c7d320dcee947fd0b124

    SHA512

    513dfce458c6cc81895e7738620c49d8cdba19f3e50e05b1742faab815345a8e647182989fb36570764ebe929702ecca197a5ae09b19f01e8225c344bb480c5d

    Download Submit

  • C:\ProgramData\UserRuntime0\gao\sahucekiep.sys
    Filesize

    4KB

    MD5

    3cebc3932070d16dffc763e6a88efc86

    SHA1

    7306aedd88a69c353b4cb697dcf47740a82b67e2

    SHA256

    6762488dc899b90eaf2b0d1191f31c5e0eff68121241226a33a458fa71fb5d4f

    SHA512

    0f58bb48974d95f429a7e4a51a848d61d141e8397f5d45df35ace20a4ea88ca6bb80dda0fdd183beda9f4ea54c6f2b8e4c5e4d03db81b39f827b30177b1382e6

    Download Submit

  • C:\ProgramData\UserRuntime0\gao\teotbaikiv.dat
    Filesize

    4KB

    MD5

    87c89c46318dadc5cedc23cfb5520ca8

    SHA1

    18572f3ca410f37c00f0836943fca1e48881db9a

    SHA256

    8ae7c1dc4194bc87d481a2ebdaead7ec1a67ddb8710a3c53585200fd966b0820

    SHA512

    1e55fef32745901dee3b4a6cb242e38cfc71d4be81e4694da77112066fac97c18f2d372f8c1e8f5711cb95cb92e90c95c7c1383013162128fcb4ed00c3f29080

    Download Submit

  • C:\ProgramData\UserRuntime0\gaweba\ehumvexiul.bin
    Filesize

    2KB

    MD5

    fe7f6ad299413ec2124106a0bddef197

    SHA1

    b6e0f389df92cdfe98dc66f7103654bfb0419cda

    SHA256

    4be59d70d1c5aeb4a4fafc3b361b16cdbc0e85384626223b319bb8c38141bbfe

    SHA512

    fcae84d8679072d6665724808ee8910dd49d1f6d796227e8015c25a3076bf4adb058b3a2d4f68596b762dc0642c443530c4c5ba4a0a5f47ef8ffbf4f7d2751e3

    Download Submit

  • C:\ProgramData\UserRuntime0\gaweba\uqqe.drv
    Filesize

    5KB

    MD5

    08331e9c1d0753382c0d74c9eaba8785

    SHA1

    adf9698a7aa31bd75e19c44c75b4e9f61f3af756

    SHA256

    98cf1b575436aadb85570bcfd6814b245bc87c2b13ef69b874fb6f968e37ceb5

    SHA512

    ed7576fa23e5dce5e8ab16ac4d4f95c7304425f62418bbe9418b88d196240d2918705d2486a2285424d7e988271bb46fdce88023abcf746582cd17277381853d

    Download Submit

  • C:\ProgramData\UserRuntime0\ipegiq.dat
    Filesize

    7KB

    MD5

    c9507ee5d80fe8b46668fafd31cdd7de

    SHA1

    1b3dc8323755fb653da0b2aaa820470921965e89

    SHA256

    5e7f044a2261690f918999458f73e66f539713f6983a33cdd6d5e2899e5ab789

    SHA512

    30e6cede21bfeb172d06bab84284062a5aaecfa786387cc47c9abfe1561a71de033ab3717968ede2d3781556177849cf401f8a5a8ec4dad6908a071a6db96086

    Download Submit

  • C:\ProgramData\UserRuntime0\luixdegoq.sys
    Filesize

    1KB

    MD5

    e724e67fafb013fcb9bf2a999e6c29d1

    SHA1

    3420f01c75e3a6dba35267c7794f847f2f7e19e3

    SHA256

    e7a7aa81ef65ef9fa719d161e4960db44016779343f304ad507dbcdc457f3fd9

    SHA512

    f74d762e6980e6786cbe15f925c1d10ee1ab36a2239f8ed9db3dde049f115975a8c564388ece063a589204306fd989ba28229eef0aa0d8cb870137bdf740a415

    Download Submit

  • C:\ProgramData\UserRuntime0\oxufilifob.cat
    Filesize

    7KB

    MD5

    997169e6dcdc40dd4f2a7291ecb128d9

    SHA1

    9a314a9b7d03fda871c7e749cb7f4f196d351e83

    SHA256

    3b353ea93badfe2f99e8892e84f8d762a2281c831d7f55b850206994fddcd4f5

    SHA512

    dc9696ca4514c48fa40a17549ee25619b0385df571a35770b95be5e9ef58dd440b5d62d7d5463cda612e6ea7b4985cbb62118a3e496fdcf0e4a6a98473e24300

    Download Submit

  • C:\ProgramData\UserRuntime\stdole.exe
    Filesize

    191KB

    MD5

    c0e51eda0269d6faf7de83e4c61a0a16

    SHA1

    553c3e281cd6cef0b35f1a833fc9c4d73e6edd3d

    SHA256

    23d6c92036a01fe401d0a5a6d85a208416fa67237d0d516fef6327cf794df197

    SHA512

    75b219c8f025ba6762c933826fd94ff7eeedddb5ccbb9e5943ad2380c9da3d58d77365b326388c1a99999114afdc5a2bc81e74e094a4c883dad14282a13e95b1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\UserRuntime\drt\dautacaba.dat
    Filesize

    8KB

    MD5

    c332202caed56c254c1d9dac19d0818c

    SHA1

    fbaabd9bac3dfcfe0e6d8b8692ba031030bac6de

    SHA256

    41e5c6e5d9ef96208cc0ebd29275c935bb5c2710767bd7dda7abe60b95a17aa4

    SHA512

    f248c2d376074d2573c823ff771d4fd2a60477fd4fb21b3d5614bc4d959f84b23fe52f96b122cd1f04e20a5d6ed08ce76d67c6037947e365ca81dd37aefa2326

    Download Submit

  • C:\Users\Admin\AppData\Roaming\UserRuntime\drt\ramoloq.ocx
    Filesize

    3KB

    MD5

    f8c5880d31fea70a5fb51770cda5fb38

    SHA1

    87bd290677ae64fea94cece97edd74491d4aa14a

    SHA256

    102567ae486c41e0d4bff8af3be40108b003ac0ae497ea881bdcc27372adf3b1

    SHA512

    7c9549b3ee0f88695eff27350d452b8089dccdb16c220252173b32cee545ff97ae6964e1c5c6bf131fa2e048ec0c896f9e9391648fdf4d4d657a4624e97cb5bd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\UserRuntime\stdole.exe
    Filesize

    191KB

    MD5

    6bcbc0c3558c16b862aeb0e0b0c8e8bb

    SHA1

    dd0519c9bc4b7b59df2202fe9c7d8cd1091596d0

    SHA256

    26fbc3adf2c267f1781403193de2c73b455d7f39be4b2712fe72f68ead03311d

    SHA512

    4a5ea9121147e7a80121775ab2e28f88970b3e500340f8c36e36068d63adf978d7fbb846e03094efd3881f5f24f22d0d042a987afee2e49b926b3c7e623d8a6e

    Download Submit

  • memory/3824-139-0x0000000073BF0000-0x0000000073C29000-memory.dmp

    Filesize

    228KB

    Download

  • memory/3824-172-0x0000000073BF0000-0x0000000073C29000-memory.dmp

    Filesize

    228KB

    Download