Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
06-09-2024 21:28
Static task
static1
Behavioral task
behavioral1
Sample
d8fe463548ec31b99e04cf572fa6bc40N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
d8fe463548ec31b99e04cf572fa6bc40N.exe
Resource
win10v2004-20240802-en
General
-
Target
d8fe463548ec31b99e04cf572fa6bc40N.exe
-
Size
1.9MB
-
MD5
d8fe463548ec31b99e04cf572fa6bc40
-
SHA1
9161e976df1d31c60d8769eb8a99596f71d7a928
-
SHA256
428326fd3f42c283366bc4352d3baa0255bf7557fc513d6ccfbb92c5393cb316
-
SHA512
21cd4f6e1dea498b9bc0a1c382c1dd568f688931673d21959992f189c090e61d91ec02f5ace760b35642653210d3d58df4949b2cf7bacef4939e4015a25f92b0
-
SSDEEP
24576:jiMbTvXdVtTj2i64T+jdxQCfgOFD3WSwd2QtBBw6xxhVxQtmibjOhZaiRu/4oMaY:+0FbTChxKCnFnQXBbrtgb/iQvu0UHOq1
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 3028 @AEF3A2.tmp.exe 2216 d8fe463548ec31b99e04cf572fa6bc40N.exe 2432 WdExt.exe 876 launch.exe 3032 wtmps.exe 1908 mscaps.exe -
Loads dropped DLL 11 IoCs
pid Process 2332 explorer.exe 2332 explorer.exe 2332 explorer.exe 3028 @AEF3A2.tmp.exe 2248 cmd.exe 2248 cmd.exe 2432 WdExt.exe 2056 cmd.exe 2056 cmd.exe 2316 cmd.exe 2316 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Defender\\launch.exe\"" launch.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\mscaps.exe wtmps.exe File opened for modification C:\Windows\SysWOW64\mscaps.exe wtmps.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d8fe463548ec31b99e04cf572fa6bc40N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @AEF3A2.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language launch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtmps.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d8fe463548ec31b99e04cf572fa6bc40N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WdExt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscaps.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3028 @AEF3A2.tmp.exe 2432 WdExt.exe 876 launch.exe 876 launch.exe 876 launch.exe 876 launch.exe 876 launch.exe 876 launch.exe 876 launch.exe 876 launch.exe 876 launch.exe 876 launch.exe -
Suspicious use of WriteProcessMemory 58 IoCs
description pid Process procid_target PID 2324 wrote to memory of 2332 2324 d8fe463548ec31b99e04cf572fa6bc40N.exe 31 PID 2324 wrote to memory of 2332 2324 d8fe463548ec31b99e04cf572fa6bc40N.exe 31 PID 2324 wrote to memory of 2332 2324 d8fe463548ec31b99e04cf572fa6bc40N.exe 31 PID 2324 wrote to memory of 2332 2324 d8fe463548ec31b99e04cf572fa6bc40N.exe 31 PID 2324 wrote to memory of 2332 2324 d8fe463548ec31b99e04cf572fa6bc40N.exe 31 PID 2324 wrote to memory of 2332 2324 d8fe463548ec31b99e04cf572fa6bc40N.exe 31 PID 2332 wrote to memory of 3028 2332 explorer.exe 32 PID 2332 wrote to memory of 3028 2332 explorer.exe 32 PID 2332 wrote to memory of 3028 2332 explorer.exe 32 PID 2332 wrote to memory of 3028 2332 explorer.exe 32 PID 2332 wrote to memory of 2216 2332 explorer.exe 33 PID 2332 wrote to memory of 2216 2332 explorer.exe 33 PID 2332 wrote to memory of 2216 2332 explorer.exe 33 PID 2332 wrote to memory of 2216 2332 explorer.exe 33 PID 3028 wrote to memory of 2248 3028 @AEF3A2.tmp.exe 34 PID 3028 wrote to memory of 2248 3028 @AEF3A2.tmp.exe 34 PID 3028 wrote to memory of 2248 3028 @AEF3A2.tmp.exe 34 PID 3028 wrote to memory of 2248 3028 @AEF3A2.tmp.exe 34 PID 3028 wrote to memory of 2820 3028 @AEF3A2.tmp.exe 36 PID 3028 wrote to memory of 2820 3028 @AEF3A2.tmp.exe 36 PID 3028 wrote to memory of 2820 3028 @AEF3A2.tmp.exe 36 PID 3028 wrote to memory of 2820 3028 @AEF3A2.tmp.exe 36 PID 2248 wrote to memory of 2432 2248 cmd.exe 38 PID 2248 wrote to memory of 2432 2248 cmd.exe 38 PID 2248 wrote to memory of 2432 2248 cmd.exe 38 PID 2248 wrote to memory of 2432 2248 cmd.exe 38 PID 2432 wrote to memory of 2056 2432 WdExt.exe 39 PID 2432 wrote to memory of 2056 2432 WdExt.exe 39 PID 2432 wrote to memory of 2056 2432 WdExt.exe 39 PID 2432 wrote to memory of 2056 2432 WdExt.exe 39 PID 2056 wrote to memory of 876 2056 cmd.exe 41 PID 2056 wrote to memory of 876 2056 cmd.exe 41 PID 2056 wrote to memory of 876 2056 cmd.exe 41 PID 2056 wrote to memory of 876 2056 cmd.exe 41 PID 2056 wrote to memory of 876 2056 cmd.exe 41 PID 2056 wrote to memory of 876 2056 cmd.exe 41 PID 2056 wrote to memory of 876 2056 cmd.exe 41 PID 876 wrote to memory of 2316 876 launch.exe 42 PID 876 wrote to memory of 2316 876 launch.exe 42 PID 876 wrote to memory of 2316 876 launch.exe 42 PID 876 wrote to memory of 2316 876 launch.exe 42 PID 876 wrote to memory of 2316 876 launch.exe 42 PID 876 wrote to memory of 2316 876 launch.exe 42 PID 876 wrote to memory of 2316 876 launch.exe 42 PID 2316 wrote to memory of 3032 2316 cmd.exe 44 PID 2316 wrote to memory of 3032 2316 cmd.exe 44 PID 2316 wrote to memory of 3032 2316 cmd.exe 44 PID 2316 wrote to memory of 3032 2316 cmd.exe 44 PID 2316 wrote to memory of 3032 2316 cmd.exe 44 PID 2316 wrote to memory of 3032 2316 cmd.exe 44 PID 2316 wrote to memory of 3032 2316 cmd.exe 44 PID 3032 wrote to memory of 1908 3032 wtmps.exe 45 PID 3032 wrote to memory of 1908 3032 wtmps.exe 45 PID 3032 wrote to memory of 1908 3032 wtmps.exe 45 PID 3032 wrote to memory of 1908 3032 wtmps.exe 45 PID 3032 wrote to memory of 1908 3032 wtmps.exe 45 PID 3032 wrote to memory of 1908 3032 wtmps.exe 45 PID 3032 wrote to memory of 1908 3032 wtmps.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8fe463548ec31b99e04cf572fa6bc40N.exe"C:\Users\Admin\AppData\Local\Temp\d8fe463548ec31b99e04cf572fa6bc40N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\@AEF3A2.tmp.exe"C:\Users\Admin\AppData\Local\Temp\@AEF3A2.tmp.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 24327⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "8⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\wtmps.exe"C:\Users\Admin\AppData\Local\Temp\wtmps.exe"9⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\mscaps.exe"C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1908
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:2820
-
-
-
C:\Users\Admin\AppData\Local\Temp\d8fe463548ec31b99e04cf572fa6bc40N.exe"C:\Users\Admin\AppData\Local\Temp\d8fe463548ec31b99e04cf572fa6bc40N.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2216
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
406B
MD537512bcc96b2c0c0cf0ad1ed8cfae5cd
SHA1edf7f17ce28e1c4c82207cab8ca77f2056ea545c
SHA25627e678bf5dc82219d6edd744f0b82567a26e40f8a9dcd6487205e13058e3ed1f
SHA5126d4252ab5aa441a76ce2127224fefcb221259ab4d39f06437b269bd6bfdaae009c8f34e9603ec734159553bc9f1359bdd70316cd426d73b171a9f17c41077641
-
Filesize
200KB
MD56e758c968e9c79e8990c16ad87b4f57f
SHA1e53c453a8a559f1972b80d4b9dcc09cc84204fc1
SHA2569aabb5d3d2bb8e892951dcf1fd96becd7fe5bbed196e16556f43946c1e2a101f
SHA5120e04de61f8e11b7309b6839fceeb193a900ac53942f659abb621de92db2a215e34104a103e989b722cd9002ad9a223f9929c96a30eaed27cd33232d927db0237
-
Filesize
172KB
MD5daac1781c9d22f5743ade0cb41feaebf
SHA1e2549eeeea42a6892b89d354498fcaa8ffd9cac4
SHA2566a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c
SHA512190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160
-
Filesize
129B
MD5d1073c9b34d1bbd570928734aacff6a5
SHA178714e24e88d50e0da8da9d303bec65b2ee6d903
SHA256b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020
SHA5124f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f
-
Filesize
102B
MD51d68f046cd6a9197038fb2445d2bea05
SHA1d8dca54cfa0b2ad404bce32d5d94634bcfc9b2d7
SHA2569cddd4b2ac719f01052deef3aa558fbfbcd21d5728215651345c3d2b9ba250d9
SHA5122720d071fd02b2cf0d9f1de8dd19117fd128f213dd7f66fa8adb00d7873a5de58d2f2618100d28eec85db707d9e34d20258f9a1f76acf75fe668e66722e1cc4c
-
Filesize
126B
MD53203ceed90f4ecc00409765169703bbd
SHA1ff99825eb18890b598ba05961c4e55c1f5944683
SHA2569b51d087f34f17cd3092efceaa37796ceced997de72481d416858875ac08c928
SHA5128eb4975600d1fbe7659b0d1c2b53c52938798abeb058ff1e8a06ed1f9d309a8812e44c39502fa4b9fb126c97ead907e2b8443f4a04255b987ef5072a661fc044
-
Filesize
196B
MD52629f685975a199bc8a91111b804418b
SHA17bd18d2ac648d5ddc59d54c46928ffb9224e5557
SHA2560da306a3ee34cc9ae67c9d0f630bd0514a123909bbeee524e3a98030fbe9954d
SHA512b70c6eac5ac836afcbdb1853b8d01113f2c93b5361d1fd6b556c5c22de8d414e597b616c14d97fb2e594676cfab0d1ccf744d0cc5548c1bb699e920c2dd62245
-
Filesize
202KB
MD5684c111c78f8bf6fcb5575d400e7669c
SHA1d587894c0beffdff00ae6d358a5463ef18bcb485
SHA256080fb4cd0b92884c89efab9161685f3ba0666cd9dab8de6c752bfe35e4e45716
SHA512bcf748d21be502d7346f56ffc9ef13f3394d46c679d7cf17289d007e91b4ead2ec4035b3ccd5626eb378958cbb6ac371edfde8319433db9b709694595ae53e4f
-
Filesize
200KB
MD578d3c8705f8baf7d34e6a6737d1cfa18
SHA19f09e248a29311dbeefae9d85937b13da042a010
SHA2562c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905
SHA5129a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609
-
Filesize
1.7MB
MD527752b3ecd12c7290097ae57bcd8116e
SHA106a8aa9b3b2da990854a29b0008b8ca65c3cb1e5
SHA256eeefc0d2e4c2b56351c40b755f93e837b9480dca6bbea019d7f1067d6b6279d6
SHA512eacc57eece630249e3e1014f77f157acb285dac354fc4da42cc76daff4d162644c207d5a281a448f6a3a0866bd58d1f6727757cbb8ec777d4f994fe02256cc35
-
Filesize
276KB
MD575c1467042b38332d1ea0298f29fb592
SHA1f92ea770c2ddb04cf0d20914578e4c482328f0f8
SHA2563b20c853d4ca23240cd338b8cab16f1027c540ddfe9c4ffdca1624d2f923b373
SHA5125c47c59ad222e2597ccdf2c100853c48f022e933f44c279154346eacf9e7e6f54214ada541d43a10424035f160b56131aab206c11512a9fd6ea614fbd3160aa0
-
Filesize
1.7MB
MD5c989ac4a8372a745d50e83871e4ba896
SHA11b92704d0819b8a4f74a9568cfd84b8d7fc0e488
SHA25630f7efb50c570fcdb1788578a6a09186cec1b79ae7ae8612df519ce4721a6fb6
SHA5122cdc91a6d8003f3163c9ee06f94cb0fd89ccba8a773b0ba84cd84233b177d191ad8388e3e7d802933796830b059900132f874ab148f14df4ccdf2c4f73f003ea
-
Filesize
202KB
MD57ff15a4f092cd4a96055ba69f903e3e9
SHA1a3d338a38c2b92f95129814973f59446668402a8
SHA2561b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627
SHA5124b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae