2c52f6d1206bc754c5e3ad485b7406d7d611d7d490a2252a969f2cd874ea9569

Analysis

max time kernel
91s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
29-08-2024 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c52f6d1206bc754c5e3ad485b7406d7d611d7d490a2252a969f2cd874ea9569.exe
Size

3.2MB
MD5

f8afafba3e86d50ad9edce1d0ea179ab
SHA1

da2a418d7d4f39222d16cfad8cb381ca53f7339c
SHA256

2c52f6d1206bc754c5e3ad485b7406d7d611d7d490a2252a969f2cd874ea9569
SHA512

a23d51e4621b9a18d9f99d797bccf64ded9fddc0c63ccda8df5d1d13c5e35633c14bcb66a3dd1205d07c5c3637a9d58e17794e1e85b9d78e578ec723a708abc4
SSDEEP

49152:Aa5dRh/rrdcQX7kAmen7jJRkNkdKiJZeKtH0LzHPzkRyq/cHG53IpOMb6tdz6c:Aa5rJ/+ewIH/5dKaZeQH0Lc8GKAdz6c

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 11 IoCs

pid	Process
2392	7z.exe
748	7z.exe
2288	7z.exe
132	7z.exe
4912	7z.exe
3380	7z.exe
2060	7z.exe
4536	7z.exe
4716	7z.exe
4240	7z.exe
772	nRQUvisZS5yyGTCGUs.exe

Loads dropped DLL 10 IoCs

pid	Process
2392	7z.exe
748	7z.exe
2288	7z.exe
132	7z.exe
4912	7z.exe
3380	7z.exe
2060	7z.exe
4536	7z.exe
4716	7z.exe
4240	7z.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 772 set thread context of 3852	772	nRQUvisZS5yyGTCGUs.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2432	3852	WerFault.exe	97
3288	3852	WerFault.exe	97
3720	3852	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c52f6d1206bc754c5e3ad485b7406d7d611d7d490a2252a969f2cd874ea9569.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nRQUvisZS5yyGTCGUs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeRestorePrivilege	2392	7z.exe
Token: 35	2392	7z.exe
Token: SeSecurityPrivilege	2392	7z.exe
Token: SeSecurityPrivilege	2392	7z.exe
Token: SeRestorePrivilege	748	7z.exe
Token: 35	748	7z.exe
Token: SeSecurityPrivilege	748	7z.exe
Token: SeSecurityPrivilege	748	7z.exe
Token: SeRestorePrivilege	2288	7z.exe
Token: 35	2288	7z.exe
Token: SeSecurityPrivilege	2288	7z.exe
Token: SeSecurityPrivilege	2288	7z.exe
Token: SeRestorePrivilege	132	7z.exe
Token: 35	132	7z.exe
Token: SeSecurityPrivilege	132	7z.exe
Token: SeSecurityPrivilege	132	7z.exe
Token: SeRestorePrivilege	4912	7z.exe
Token: 35	4912	7z.exe
Token: SeSecurityPrivilege	4912	7z.exe
Token: SeSecurityPrivilege	4912	7z.exe
Token: SeRestorePrivilege	3380	7z.exe
Token: 35	3380	7z.exe
Token: SeSecurityPrivilege	3380	7z.exe
Token: SeSecurityPrivilege	3380	7z.exe
Token: SeRestorePrivilege	2060	7z.exe
Token: 35	2060	7z.exe
Token: SeSecurityPrivilege	2060	7z.exe
Token: SeSecurityPrivilege	2060	7z.exe
Token: SeRestorePrivilege	4536	7z.exe
Token: 35	4536	7z.exe
Token: SeSecurityPrivilege	4536	7z.exe
Token: SeSecurityPrivilege	4536	7z.exe
Token: SeRestorePrivilege	4716	7z.exe
Token: 35	4716	7z.exe
Token: SeSecurityPrivilege	4716	7z.exe
Token: SeSecurityPrivilege	4716	7z.exe
Token: SeRestorePrivilege	4240	7z.exe
Token: 35	4240	7z.exe
Token: SeSecurityPrivilege	4240	7z.exe
Token: SeSecurityPrivilege	4240	7z.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 3312	4528	2c52f6d1206bc754c5e3ad485b7406d7d611d7d490a2252a969f2cd874ea9569.exe	82
PID 4528 wrote to memory of 3312	4528	2c52f6d1206bc754c5e3ad485b7406d7d611d7d490a2252a969f2cd874ea9569.exe	82
PID 3312 wrote to memory of 2400	3312	cmd.exe	84
PID 3312 wrote to memory of 2400	3312	cmd.exe	84
PID 3312 wrote to memory of 2392	3312	cmd.exe	85
PID 3312 wrote to memory of 2392	3312	cmd.exe	85
PID 3312 wrote to memory of 748	3312	cmd.exe	86
PID 3312 wrote to memory of 748	3312	cmd.exe	86
PID 3312 wrote to memory of 2288	3312	cmd.exe	87
PID 3312 wrote to memory of 2288	3312	cmd.exe	87
PID 3312 wrote to memory of 132	3312	cmd.exe	88
PID 3312 wrote to memory of 132	3312	cmd.exe	88
PID 3312 wrote to memory of 4912	3312	cmd.exe	89
PID 3312 wrote to memory of 4912	3312	cmd.exe	89
PID 3312 wrote to memory of 3380	3312	cmd.exe	90
PID 3312 wrote to memory of 3380	3312	cmd.exe	90
PID 3312 wrote to memory of 2060	3312	cmd.exe	91
PID 3312 wrote to memory of 2060	3312	cmd.exe	91
PID 3312 wrote to memory of 4536	3312	cmd.exe	92
PID 3312 wrote to memory of 4536	3312	cmd.exe	92
PID 3312 wrote to memory of 4716	3312	cmd.exe	93
PID 3312 wrote to memory of 4716	3312	cmd.exe	93
PID 3312 wrote to memory of 4240	3312	cmd.exe	94
PID 3312 wrote to memory of 4240	3312	cmd.exe	94
PID 3312 wrote to memory of 1928	3312	cmd.exe	95
PID 3312 wrote to memory of 1928	3312	cmd.exe	95
PID 3312 wrote to memory of 772	3312	cmd.exe	96
PID 3312 wrote to memory of 772	3312	cmd.exe	96
PID 3312 wrote to memory of 772	3312	cmd.exe	96
PID 772 wrote to memory of 3852	772	nRQUvisZS5yyGTCGUs.exe	97
PID 772 wrote to memory of 3852	772	nRQUvisZS5yyGTCGUs.exe	97
PID 772 wrote to memory of 3852	772	nRQUvisZS5yyGTCGUs.exe	97
PID 772 wrote to memory of 3852	772	nRQUvisZS5yyGTCGUs.exe	97
PID 772 wrote to memory of 3852	772	nRQUvisZS5yyGTCGUs.exe	97

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1928	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2c52f6d1206bc754c5e3ad485b7406d7d611d7d490a2252a969f2cd874ea9569.exe
"C:\Users\Admin\AppData\Local\Temp\2c52f6d1206bc754c5e3ad485b7406d7d611d7d490a2252a969f2cd874ea9569.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:2400
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p151921358818216190771159712614 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_9.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:748
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_8.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_7.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:132
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_6.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4912
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3380
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2060
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4536
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4716
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4240
- - C:\Windows\system32\attrib.exe
    attrib +H "nRQUvisZS5yyGTCGUs.exe"
    3⤵
    - Views/modifies file attributes
    PID:1928
- - C:\Users\Admin\AppData\Local\Temp\main\nRQUvisZS5yyGTCGUs.exe
    "nRQUvisZS5yyGTCGUs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3852
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 1232
        5⤵
        Program crash
        
        PID:2432
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 1164
        5⤵
        Program crash
        
        PID:3288
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 1164
        5⤵
        Program crash
        
        PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3852 -ip 3852
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3852 -ip 3852
1⤵
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3852 -ip 3852
1⤵
PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.2MB

MD5
43aae2a6566fde0ba4bb6ac7eb8a2d9b

SHA1
600e2399cf9f11ec75b17729e5e770188d0365c1

SHA256
2a9584d775535aeeb4efcced681b478401daa051ed5d93e3401d393e3a3d4d8e

SHA512
027951b64a4d68aa11c5c52d7df3d1238bb8b02ffc85a966cbd1758ee81826611f928eaea3c438fc7006176945eb45424b22a414a0fdebcbfe85bf31d36610f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
702KB

MD5
ba3f5afa1e53146b404395483712fb14

SHA1
70c5c1c73e8891a56429b3a3fdf0bb1b3cb9ec54

SHA256
62b209a7385464459f6c34fd31d160a21b38dbcb627ddb7ef9f1f4b7567f23f9

SHA512
ba77869f1a4eb60cad2b9346de775317be6a20e884e6689539355d57e14678a5f13c3adfd44671d7831f57c9e1587f9a7736a4e80f98f58a5cdbefd47f983834

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
702KB

MD5
e750fba0b64391a934fb93b3753529b6

SHA1
d3028d85a7052c9a59cfc6d89a8cdca6459bc460

SHA256
a2e6b8d81e5322eeed80bc3d4b6da3ab0574fe9ff3c4b49e30c0f7159c3369c2

SHA512
33f7b1dc3f4193028218b4250d6786aedcc3a3333ca940b6ff582ece60ec4564774114547acf5eaecbdb89b7e850695cc6c27e0ddc9963027407101158f2b2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
702KB

MD5
a9f77d700719afd4bb038e7aed531344

SHA1
1462339d5c807a76dcafb2656b6aca6ee0d60666

SHA256
7df19bca8feab85046f19831d1874fbc3fadb9e30a392d7375f50aac174d6123

SHA512
ae5851a887ad2796651b5f1dd59115f0bb00c509029d1999d9f54a7e5f231eb8f98f51b9ff06e94c3d9bbe436bb9ef21aa4740a3cbe84ae695ad8ca0ce448c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
702KB

MD5
8c6e76beb87b9cfff64e5a54f1c227df

SHA1
05c40771381d42b88fd7ca1c4a57b55391def50f

SHA256
cf2c06ccde56e42374647c1cb39563f236b2088b312be3cd68f66a1effabdfd8

SHA512
946ded739baa321c7d5162b210d3117d4bf5751ed2fe413d674e2c2f6c2e836b73b5b4731c360bcc79509de50d7051d68fcf2b181bfe9cee6787ca9d882ac545

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
702KB

MD5
9c177f44457d3a1589f64dacafcf5ee5

SHA1
3e561635879d9b5b3337fe92426386890634e55d

SHA256
599a40d0ac901e9fffcabde40f74474126c260c215d45ac0f6c479ab222a6243

SHA512
1646bea1b5eabeb28cb0713d7ec4b6010390280c0f36cba5e145ea65a4d4ead520dee70ec3be5c269c6500c3a306a1e4abc86ca3752d5653f957101768155594

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

Filesize
703KB

MD5
e8c36f78487d680955ce66b9e56c5cea

SHA1
89b90f78f7db329662a10d8d555a6fb3f0970806

SHA256
8057b11b42ea9d4213d9677567b59b020172e97119a8c0150a96be3373b819b7

SHA512
b39fbea1273090eac573a755cf33e29b202b473310362e7a54362caed8c2289809c2bc3dd902833f71f7a67799b8a992a994bcee3d0bd7bc2dd6f242e5018834

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

Filesize
703KB

MD5
79b83d924dfe491fbbd357d0d2ba3537

SHA1
ce1c477e380c6c1baf4fe7ee947e7893edc0d8ec

SHA256
28012fb4ed536207b7ed824424c0ac2550286c3d5c64ea10a8645143ed2fdf20

SHA512
3f5e6b889204874cbeb8234921d5e916d1529231f5dd1bd52781748bd7a88ae07ed409b251fb5d67a3479930791a4fb7914ee162791242fe694cc41b89f74ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip

Filesize
703KB

MD5
e43b1a119fd6e09912cf4a1c9e5380c5

SHA1
678fcb1d3ece3bc0ad7a05bcf3edf6a04890f9a8

SHA256
005ad39af288f4a11564c88a14528df929da1a5bff930af6a803c173ca6c9b19

SHA512
d7f35adeabdf407a34eb462bdc6cd5958d107a7fe8fd55ce708283bfbf938047c5f8044a529c698e69fb74122920d413cae53bb89afa3fb2669c0152fd31a058

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip

Filesize
2.3MB

MD5
9c466d3f3e802906a978cd14705a36cd

SHA1
4b48f197c94725b7ea61d438ba14717bc5587efc

SHA256
73ca27aa83e83f8609e41055c71b0715e2ba2c2759941bf0733164c11ee41138

SHA512
7238582f31aff809015424bccdba310459c9ce8e29efbf47c961a302e3dbf4a8c436b393bdae6097abe168bcf7d5b407d1ef4b4552633938ba997ccd122f3289

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
2.3MB

MD5
b4581612d06dbbd6009168d180b71b75

SHA1
3a351b6fcd554ffd1da0c5d56cf49461fb9a9a11

SHA256
ddeba62b92a2abb1f230bcddfcc56cccd6f9e7f15bd536a0cc699a2133b57123

SHA512
83fd082a9463adced28c938232daae549d534dbbb91296c0167b917fcb97020ab478918810a5bfaf177f1733569b0482ed4bd6b6e9dac9220803170390dda9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
521B

MD5
a0aaf1fd029e946cc8ab2628aa972729

SHA1
280ebbf12eb0344a39b44a445090b24bb8c1569d

SHA256
7571848c9299ddeaa782dc55b48ecc6fccaf77ccc7decdab6a7cc63f4d8b202e

SHA512
03e33ab4f4e787ecc9c07ee9f7ca9b1839a22998a206b971c51db60cd8d41465bdf84b00fa50564052750e20c0636a8546c4e830488fade71391657dc61bbe39

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\nRQUvisZS5yyGTCGUs.exe

Filesize
870KB

MD5
a5e9a6102f073ccde190fa1c6bea9d5f

SHA1
1a5d427d0738c8da04dea72a15b1cda76c361336

SHA256
46d02b58dd26cc524064d5fbe0a4f2a54d97e5b01d524c1a1beedeb54079f10e

SHA512
ee89f3aa7160550c9e7a5ab5c8dec5c5c43092f84a198af3e1bea221bdfd9dde7280130012ea5262fcdd350c0261dd3ab054e2c9eee0b81611b2f0e4b5e00ee1

Download Submit
memory/3852-85-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3852-80-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download