Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    06-09-2024 21:28

General

  • Target

    d8fe463548ec31b99e04cf572fa6bc40N.exe

  • Size

    1.9MB

  • MD5

    d8fe463548ec31b99e04cf572fa6bc40

  • SHA1

    9161e976df1d31c60d8769eb8a99596f71d7a928

  • SHA256

    428326fd3f42c283366bc4352d3baa0255bf7557fc513d6ccfbb92c5393cb316

  • SHA512

    21cd4f6e1dea498b9bc0a1c382c1dd568f688931673d21959992f189c090e61d91ec02f5ace760b35642653210d3d58df4949b2cf7bacef4939e4015a25f92b0

  • SSDEEP

    24576:jiMbTvXdVtTj2i64T+jdxQCfgOFD3WSwd2QtBBw6xxhVxQtmibjOhZaiRu/4oMaY:+0FbTChxKCnFnQXBbrtgb/iQvu0UHOq1

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8fe463548ec31b99e04cf572fa6bc40N.exe
    "C:\Users\Admin\AppData\Local\Temp\d8fe463548ec31b99e04cf572fa6bc40N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Users\Admin\AppData\Local\Temp\@AEF3A2.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\@AEF3A2.tmp.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3028
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2248
          • C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2432
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
              6⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2056
              • C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 2432
                7⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:876
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
                  8⤵
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:2316
                  • C:\Users\Admin\AppData\Local\Temp\wtmps.exe
                    "C:\Users\Admin\AppData\Local\Temp\wtmps.exe"
                    9⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:3032
                    • C:\Windows\SysWOW64\mscaps.exe
                      "C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1908
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2820
      • C:\Users\Admin\AppData\Local\Temp\d8fe463548ec31b99e04cf572fa6bc40N.exe
        "C:\Users\Admin\AppData\Local\Temp\d8fe463548ec31b99e04cf572fa6bc40N.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2A0.tmp

    Filesize

    406B

    MD5

    37512bcc96b2c0c0cf0ad1ed8cfae5cd

    SHA1

    edf7f17ce28e1c4c82207cab8ca77f2056ea545c

    SHA256

    27e678bf5dc82219d6edd744f0b82567a26e40f8a9dcd6487205e13058e3ed1f

    SHA512

    6d4252ab5aa441a76ce2127224fefcb221259ab4d39f06437b269bd6bfdaae009c8f34e9603ec734159553bc9f1359bdd70316cd426d73b171a9f17c41077641

  • C:\Users\Admin\AppData\Local\Temp\d8fe463548ec31b99e04cf572fa6bc40N.exe

    Filesize

    200KB

    MD5

    6e758c968e9c79e8990c16ad87b4f57f

    SHA1

    e53c453a8a559f1972b80d4b9dcc09cc84204fc1

    SHA256

    9aabb5d3d2bb8e892951dcf1fd96becd7fe5bbed196e16556f43946c1e2a101f

    SHA512

    0e04de61f8e11b7309b6839fceeb193a900ac53942f659abb621de92db2a215e34104a103e989b722cd9002ad9a223f9929c96a30eaed27cd33232d927db0237

  • C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe

    Filesize

    172KB

    MD5

    daac1781c9d22f5743ade0cb41feaebf

    SHA1

    e2549eeeea42a6892b89d354498fcaa8ffd9cac4

    SHA256

    6a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c

    SHA512

    190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160

  • C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

    Filesize

    129B

    MD5

    d1073c9b34d1bbd570928734aacff6a5

    SHA1

    78714e24e88d50e0da8da9d303bec65b2ee6d903

    SHA256

    b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020

    SHA512

    4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

  • C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

    Filesize

    102B

    MD5

    1d68f046cd6a9197038fb2445d2bea05

    SHA1

    d8dca54cfa0b2ad404bce32d5d94634bcfc9b2d7

    SHA256

    9cddd4b2ac719f01052deef3aa558fbfbcd21d5728215651345c3d2b9ba250d9

    SHA512

    2720d071fd02b2cf0d9f1de8dd19117fd128f213dd7f66fa8adb00d7873a5de58d2f2618100d28eec85db707d9e34d20258f9a1f76acf75fe668e66722e1cc4c

  • C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

    Filesize

    126B

    MD5

    3203ceed90f4ecc00409765169703bbd

    SHA1

    ff99825eb18890b598ba05961c4e55c1f5944683

    SHA256

    9b51d087f34f17cd3092efceaa37796ceced997de72481d416858875ac08c928

    SHA512

    8eb4975600d1fbe7659b0d1c2b53c52938798abeb058ff1e8a06ed1f9d309a8812e44c39502fa4b9fb126c97ead907e2b8443f4a04255b987ef5072a661fc044

  • C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

    Filesize

    196B

    MD5

    2629f685975a199bc8a91111b804418b

    SHA1

    7bd18d2ac648d5ddc59d54c46928ffb9224e5557

    SHA256

    0da306a3ee34cc9ae67c9d0f630bd0514a123909bbeee524e3a98030fbe9954d

    SHA512

    b70c6eac5ac836afcbdb1853b8d01113f2c93b5361d1fd6b556c5c22de8d414e597b616c14d97fb2e594676cfab0d1ccf744d0cc5548c1bb699e920c2dd62245

  • C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

    Filesize

    202KB

    MD5

    684c111c78f8bf6fcb5575d400e7669c

    SHA1

    d587894c0beffdff00ae6d358a5463ef18bcb485

    SHA256

    080fb4cd0b92884c89efab9161685f3ba0666cd9dab8de6c752bfe35e4e45716

    SHA512

    bcf748d21be502d7346f56ffc9ef13f3394d46c679d7cf17289d007e91b4ead2ec4035b3ccd5626eb378958cbb6ac371edfde8319433db9b709694595ae53e4f

  • C:\Windows\SysWOW64\mscaps.exe

    Filesize

    200KB

    MD5

    78d3c8705f8baf7d34e6a6737d1cfa18

    SHA1

    9f09e248a29311dbeefae9d85937b13da042a010

    SHA256

    2c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905

    SHA512

    9a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609

  • \Users\Admin\AppData\Local\Temp\@AEF3A2.tmp.exe

    Filesize

    1.7MB

    MD5

    27752b3ecd12c7290097ae57bcd8116e

    SHA1

    06a8aa9b3b2da990854a29b0008b8ca65c3cb1e5

    SHA256

    eeefc0d2e4c2b56351c40b755f93e837b9480dca6bbea019d7f1067d6b6279d6

    SHA512

    eacc57eece630249e3e1014f77f157acb285dac354fc4da42cc76daff4d162644c207d5a281a448f6a3a0866bd58d1f6727757cbb8ec777d4f994fe02256cc35

  • \Users\Admin\AppData\Local\Temp\wtmps.exe

    Filesize

    276KB

    MD5

    75c1467042b38332d1ea0298f29fb592

    SHA1

    f92ea770c2ddb04cf0d20914578e4c482328f0f8

    SHA256

    3b20c853d4ca23240cd338b8cab16f1027c540ddfe9c4ffdca1624d2f923b373

    SHA512

    5c47c59ad222e2597ccdf2c100853c48f022e933f44c279154346eacf9e7e6f54214ada541d43a10424035f160b56131aab206c11512a9fd6ea614fbd3160aa0

  • \Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

    Filesize

    1.7MB

    MD5

    c989ac4a8372a745d50e83871e4ba896

    SHA1

    1b92704d0819b8a4f74a9568cfd84b8d7fc0e488

    SHA256

    30f7efb50c570fcdb1788578a6a09186cec1b79ae7ae8612df519ce4721a6fb6

    SHA512

    2cdc91a6d8003f3163c9ee06f94cb0fd89ccba8a773b0ba84cd84233b177d191ad8388e3e7d802933796830b059900132f874ab148f14df4ccdf2c4f73f003ea

  • \Users\Admin\AppData\Roaming\Temp\mydll.dll

    Filesize

    202KB

    MD5

    7ff15a4f092cd4a96055ba69f903e3e9

    SHA1

    a3d338a38c2b92f95129814973f59446668402a8

    SHA256

    1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627

    SHA512

    4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae

  • memory/876-300-0x0000000010000000-0x0000000010015000-memory.dmp

    Filesize

    84KB

  • memory/3028-17-0x0000000010000000-0x0000000010015000-memory.dmp

    Filesize

    84KB