Analysis

  • max time kernel
    142s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/09/2024, 23:53 UTC

General

  • Target

    d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7.exe

  • Size

    7.9MB

  • MD5

    8d1307a9e1186f89399e2251998f1494

  • SHA1

    d2614c64b38c812e1ceafdac6b5527b21dc4c6c3

  • SHA256

    d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7

  • SHA512

    496f235c39695b88358c96891fc61ca0440130dd9cfecdbc68d8c2747c9cdfac8b3d2542c49df82d01b3192ce04d5e343584df711e0049626f2c2028c78241b2

  • SSDEEP

    196608:8Eazg7DSmEazg7DSmEazg7DSmEazg7DSN:Og7uYg7uYg7uYg7uN

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7.exe
    "C:\Users\Admin\AppData\Local\Temp\d3a4be43fda6285a85ff94fa62f8daea60ef31ca27384ecbb35a2793e3214ef7.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry key
      PID:2764
    • C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
      "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
        "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2928
    • C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
      "C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2716

Network

  • flag-us
    DNS
    sunray1975.zapto.org
    7D57AD13E21.exe
    Remote address:
    8.8.8.8:53
    Request
    sunray1975.zapto.org
    IN A
    Response
No results found
  • 8.8.8.8:53
    sunray1975.zapto.org
    dns
    7D57AD13E21.exe
    66 B
    126 B
    1
    1

    DNS Request

    sunray1975.zapto.org

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

    Filesize

    7.9MB

    MD5

    5e4f99cb14d42e45073feabc4da5ae64

    SHA1

    b6fd25a25569d082da98e8e47b48b8ad07dae533

    SHA256

    863f22bb966f4d1e92b1e1993f441695eb32187172e363e71f41f7377b346692

    SHA512

    6baa4b5f8635b5bf6635b4bd4c9fb2dbda6a236c87d8b190ec5653f0b1545e3636706889a123ee2d37e7db968a4bb52bf386105ce6865a5d3db5ac5577cafa13

  • C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

    Filesize

    1.0MB

    MD5

    a2f259ceb892d3b0d1d121997c8927e3

    SHA1

    6e0a7239822b8d365d690a314f231286355f6cc6

    SHA256

    ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420

    SHA512

    5ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad

  • memory/2352-2-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2352-1-0x0000000000400000-0x0000000000601000-memory.dmp

    Filesize

    2.0MB

  • memory/2352-3-0x0000000000400000-0x0000000000601000-memory.dmp

    Filesize

    2.0MB

  • memory/2352-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2352-21-0x0000000000400000-0x0000000000601000-memory.dmp

    Filesize

    2.0MB

  • memory/2684-39-0x0000000000400000-0x0000000000601000-memory.dmp

    Filesize

    2.0MB

  • memory/2684-14-0x00000000003C0000-0x00000000003C1000-memory.dmp

    Filesize

    4KB

  • memory/2684-41-0x0000000000400000-0x0000000000601000-memory.dmp

    Filesize

    2.0MB

  • memory/2684-49-0x0000000000400000-0x0000000000601000-memory.dmp

    Filesize

    2.0MB

  • memory/2716-40-0x0000000000400000-0x00000000004FB000-memory.dmp

    Filesize

    1004KB

  • memory/2928-44-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

  • memory/2928-50-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

  • memory/2928-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2928-47-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

  • memory/2928-52-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.