Analysis
-
max time kernel
106s -
max time network
113s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
07-09-2024 08:17
Errors
General
-
Target
Xfer.Records.Serum.v1.363-TCD.exe
-
Size
194.4MB
-
MD5
022bdfff9aae163cdad8a6592d6f875b
-
SHA1
6e3d3c0d9577f63ad3486301b96da5a078e7998d
-
SHA256
3c276917a800a8c9ad19b82efe50abb88d6105954a5b99f1b1f2f1e6a6b2fb44
-
SHA512
9c6fb958f60bcf8d28e1f2162f6126db64756b08b5759838fe9eb175e1132a8bfc7d502100980ba24e32cc9fdab758e33a6b3ec68add092d13d7c4dd7661b727
-
SSDEEP
3145728:xFouHlx5rcWFlzaNTX8UXQlTQEu1zHZXbob8d4eCHA++JgDSbQ0c0/u/hUVIIng3:xxHP5rhmNB/5obr9AXJkSk00hUmIng44
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 3 IoCs
-
Drops file in Program Files directory 39 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Xfer.Records.Serum.v1.363-TCD.exe"C:\Users\Admin\AppData\Local\Temp\Xfer.Records.Serum.v1.363-TCD.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-PC3FG.tmp\Xfer.Records.Serum.v1.363-TCD.tmp"C:\Users\Admin\AppData\Local\Temp\is-PC3FG.tmp\Xfer.Records.Serum.v1.363-TCD.tmp" /SL5="$50026,202736105,792576,C:\Users\Admin\AppData\Local\Temp\Xfer.Records.Serum.v1.363-TCD.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5381⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD594a0e05982477cc34ef1a1f3620f8ee0
SHA10f6210cf69b71a507cec8d7dee5238d206ffdf5a
SHA2569bba3ffde88cf5b931e5efe69071f8c7a8714c02ae2737337a51196d67de4ba6
SHA5127bc3cf1d7f9477064e25c7adea56ac59ccd6dd24586da6f52e40547a7f208b5cadcb315574e42c9f4d39abe050a89805e31d8f897a21c72ccc773ffa42e13d10
-
Filesize
78B
MD5020c94f1c6788d463c7e91f564c2bd4f
SHA153ff4238e34c619b24cad4a537f9cd6024e05192
SHA256de781ea76410e15ac7edaeeef982dfc08e6a61939d8a1809c78f87c53fc0be65
SHA5129a8a0a24f7e32eda2e33dd840729d7577c57a3311791d6b78f348387250b6f2352bac753d2c7858558d0e409592b2d7375285a63cf30a65fae1458eff92b1cdd
-
Filesize
1KB
MD55bb22ab624d9c111ccff980846e21c99
SHA1a200fec196a8f0a4b798d3fa73f2e715ed547835
SHA256a0a1c6ea69b0a6a1aa6d6bd6bd295e8df710ab4f819c1aeecf2c5786f26d1059
SHA5120b9c2a9a0b18bebe29790355affeab7cdfcf4955e7464c9660c08d737850ad3ec7c8457be8980e567a8d922fe28beec8f29ed4ae30ca4a1e05896669ea26736d
-
Filesize
1KB
MD53d370826d1b4c223b7975cbc2a064eb1
SHA18eabeabf9798ee63cf7cbe3df3f2c22c5aa4798c
SHA256d34652d56f2a61d28d1c350fc180a1ce1642c29bcb5fe05a77b9b256711468f4
SHA512b502d2dd5e572705a7d7a75060ecd5c20e8f0f7307dfad659ebd3c62079d48bba0b3ba80117b62412ad2bc0eb114e8037c9e8ae9201b30acd72e9217861e4d6a
-
Filesize
1KB
MD5c2636cab1581b01001bd665189fda63c
SHA176b394eea28541efc8574bd7773a35e1fca67ce5
SHA2567f489f7a78e8153edd85b24f6f724a21895d10d5c8f40197c7af7e68960bda66
SHA5125387376cc01d2d638c628d20c0471d582896641b9a5236bd78f76331a92b173d59a3d09cdda38fa2c648a07c3716972e657f5ab4868557d5bc928bcb36d721d7
-
Filesize
2KB
MD52b4d9090fdb2bdedb973155412b06ab8
SHA111d7b407d00d081414fbed0f35b8cfb491e0e90f
SHA256981ca03de861ee80f0049bd33abbbcc2322aaa23499f31c6bf274750cc14dfd8
SHA5126d0428b866103203b38fb06b22364c8e3591adf23fcc0b32d7f5de048348a4af1e2d7913f39de84e7e47eca3c41995365959c2a1c77243a3d5f42809c5d14072
-
Filesize
2KB
MD55d857b9000d78b502e2ffb8d0e6647de
SHA10e27ede07ddb9dcc6ddf1f9831c4c70988ca066c
SHA256f8e352e45b99c51541c641e79336b0ac71bed60de31f866caed96e42b42adae4
SHA512d3ebb20a9cff226947e477aa990982e0a8a4b27202e7b915d66622531e9e7832a3a1e9ecb86c5d27688498a88d3fbcec3b4272a340be8a4a03e52db99d5161f7
-
Filesize
3.0MB
MD5fe911c32bbeb987fe274baaec723fc34
SHA1ce069fa11091f8d5c85c417855c738dc1389011d
SHA25677639af33f2c2d2d13df3f41eef29959b324bf48eab0b403e5b61102e303c4d4
SHA5120a00ec27d6e17ed359b4729c2d4c71148efcc443f1688acb39484a47d2468073b44847ef04e730c8bb587842c3deb6eee840297702d0553d412854c3fad269a5
-
Filesize
3.0MB
MD5d6767f8e3108c06d646ec46d547c4a43
SHA16e951499919cfaa9bc10abb15690398b4474d688
SHA256d5b52c20cca1be2bff6bc2f7d5c9168082bb9a9c1522cb4a9443174f114b71c7
SHA512b9ee131c71e877e0bf49e6a09504cef3975889cba2ed2056f54165e113d518264c580d1d20e44b9026f8f28ec9181bee7083c6e055891ef5b47244ec5a1d3961
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
828KB
-
Filesize
728KB
-
Filesize
828KB
-
Filesize
828KB