6f92d661d1cda6de6180d85a05de73875c5fab457ca7b1aadcaf9970d73b58d7

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-09-2024 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff911b3c0d50849eb8196b28ae1a20e0465ec000fe961d16502ac47180402c5a.exe
Size

455KB
MD5

d647d6451f8b83109e952e57ea8814f1
SHA1

5c869fdeba1e549878664a26544048ba662a2d7e
SHA256

ff911b3c0d50849eb8196b28ae1a20e0465ec000fe961d16502ac47180402c5a
SHA512

ee7ad2a3da672b4560f8e83191e9e04708d3cd2be283fa9a3855838fb7e5cbc9a228164fb6baaae4c0b93a4f68fdcc322a336c62d2a270386c9b33618e3cc692
SSDEEP

12288:SYzGVM3VyJgeE7uXsQeVtBKNkWPamDNhWG+XwWr:SPMl6gl7PJV3KCYWGSwWr

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1808	qooryy.exe

Loads dropped DLL 1 IoCs

pid	Process
2368	ff911b3c0d50849eb8196b28ae1a20e0465ec000fe961d16502ac47180402c5a.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\pigbo\qooryy.exe	ff911b3c0d50849eb8196b28ae1a20e0465ec000fe961d16502ac47180402c5a.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff911b3c0d50849eb8196b28ae1a20e0465ec000fe961d16502ac47180402c5a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 1808	2368	ff911b3c0d50849eb8196b28ae1a20e0465ec000fe961d16502ac47180402c5a.exe	30
PID 2368 wrote to memory of 1808	2368	ff911b3c0d50849eb8196b28ae1a20e0465ec000fe961d16502ac47180402c5a.exe	30
PID 2368 wrote to memory of 1808	2368	ff911b3c0d50849eb8196b28ae1a20e0465ec000fe961d16502ac47180402c5a.exe	30
PID 2368 wrote to memory of 1808	2368	ff911b3c0d50849eb8196b28ae1a20e0465ec000fe961d16502ac47180402c5a.exe	30

C:\Users\Admin\AppData\Local\Temp\ff911b3c0d50849eb8196b28ae1a20e0465ec000fe961d16502ac47180402c5a.exe
"C:\Users\Admin\AppData\Local\Temp\ff911b3c0d50849eb8196b28ae1a20e0465ec000fe961d16502ac47180402c5a.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Program Files (x86)\pigbo\qooryy.exe
  "C:\Program Files (x86)\pigbo\qooryy.exe"
  2⤵
  - Executes dropped EXE
  PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\pigbo\qooryy.exe

Filesize
479KB

MD5
91212eb0a10dd7fd9b8649d7aa3c3f49

SHA1
6260cda89eabd0fd667eb0b7e5742363949179ea

SHA256
1a597597b97e6011741d194d14826186d1ab21f88caa27c0e32568e04003db67

SHA512
a6c0b875a5f14fadd6dd02cbb335b290233dd0ef265a1b7108c14945603e2f38bb0b337082a724c11bf8d7907d38d8b7f30f8c7c3cf66ededc9315417256ee54

Download Submit
memory/1808-10-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1808-9-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1808-8-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2368-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2368-1-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2368-6-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download