702a2250f14de8a76b731bb5268ffaee83bcc4e474e4a511f9a84fbbce44f68a

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

702a2250f14de8a76b731bb5268ffaee83bcc4e474e4a511f9a84fbbce44f68a.exe
Size

8.2MB
MD5

1b875880947481d34583fc5c1bc0c704
SHA1

8c599119693eaec71cb2c7aff07f23fc475bb1cd
SHA256

702a2250f14de8a76b731bb5268ffaee83bcc4e474e4a511f9a84fbbce44f68a
SHA512

6348638b582edf89ea69cfe34b3533081fc2e25e41c634aef52b6aa49e01e4827e6b5dfc0d575c79966d51a471864aa6645d4dbf41042e9823b99b8c49403fb9
SSDEEP

196608:cdd+G3rhYyyJe18agr0Iatq/LJSLQyOWnGjRX9v+BqsiHMaBJHdwt:gdVP8akouLJS9MjRsBqsTSU

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2576	ngentot.bat

Loads dropped DLL 4 IoCs

pid	Process
2712	702a2250f14de8a76b731bb5268ffaee83bcc4e474e4a511f9a84fbbce44f68a.exe
2712	702a2250f14de8a76b731bb5268ffaee83bcc4e474e4a511f9a84fbbce44f68a.exe
2712	702a2250f14de8a76b731bb5268ffaee83bcc4e474e4a511f9a84fbbce44f68a.exe
2712	702a2250f14de8a76b731bb5268ffaee83bcc4e474e4a511f9a84fbbce44f68a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngentot.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	702a2250f14de8a76b731bb5268ffaee83bcc4e474e4a511f9a84fbbce44f68a.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2576	2712	702a2250f14de8a76b731bb5268ffaee83bcc4e474e4a511f9a84fbbce44f68a.exe	30
PID 2712 wrote to memory of 2576	2712	702a2250f14de8a76b731bb5268ffaee83bcc4e474e4a511f9a84fbbce44f68a.exe	30
PID 2712 wrote to memory of 2576	2712	702a2250f14de8a76b731bb5268ffaee83bcc4e474e4a511f9a84fbbce44f68a.exe	30
PID 2712 wrote to memory of 2576	2712	702a2250f14de8a76b731bb5268ffaee83bcc4e474e4a511f9a84fbbce44f68a.exe	30
PID 2576 wrote to memory of 2484	2576	ngentot.bat	32
PID 2576 wrote to memory of 2484	2576	ngentot.bat	32
PID 2576 wrote to memory of 2484	2576	ngentot.bat	32
PID 2576 wrote to memory of 2484	2576	ngentot.bat	32
PID 2484 wrote to memory of 2800	2484	cmd.exe	33
PID 2484 wrote to memory of 2800	2484	cmd.exe	33
PID 2484 wrote to memory of 2800	2484	cmd.exe	33
PID 2484 wrote to memory of 2524	2484	cmd.exe	34
PID 2484 wrote to memory of 2524	2484	cmd.exe	34
PID 2484 wrote to memory of 2524	2484	cmd.exe	34
PID 2484 wrote to memory of 2680	2484	cmd.exe	35
PID 2484 wrote to memory of 2680	2484	cmd.exe	35
PID 2484 wrote to memory of 2680	2484	cmd.exe	35
PID 2484 wrote to memory of 2564	2484	cmd.exe	36
PID 2484 wrote to memory of 2564	2484	cmd.exe	36
PID 2484 wrote to memory of 2564	2484	cmd.exe	36
PID 2484 wrote to memory of 2588	2484	cmd.exe	37
PID 2484 wrote to memory of 2588	2484	cmd.exe	37
PID 2484 wrote to memory of 2588	2484	cmd.exe	37
PID 2484 wrote to memory of 2632	2484	cmd.exe	38
PID 2484 wrote to memory of 2632	2484	cmd.exe	38
PID 2484 wrote to memory of 2632	2484	cmd.exe	38
PID 2484 wrote to memory of 2688	2484	cmd.exe	39
PID 2484 wrote to memory of 2688	2484	cmd.exe	39
PID 2484 wrote to memory of 2688	2484	cmd.exe	39
PID 2484 wrote to memory of 3008	2484	cmd.exe	40
PID 2484 wrote to memory of 3008	2484	cmd.exe	40
PID 2484 wrote to memory of 3008	2484	cmd.exe	40
PID 2484 wrote to memory of 2772	2484	cmd.exe	41
PID 2484 wrote to memory of 2772	2484	cmd.exe	41
PID 2484 wrote to memory of 2772	2484	cmd.exe	41
PID 2484 wrote to memory of 2124	2484	cmd.exe	42
PID 2484 wrote to memory of 2124	2484	cmd.exe	42
PID 2484 wrote to memory of 2124	2484	cmd.exe	42
PID 2484 wrote to memory of 2896	2484	cmd.exe	43
PID 2484 wrote to memory of 2896	2484	cmd.exe	43
PID 2484 wrote to memory of 2896	2484	cmd.exe	43
PID 2484 wrote to memory of 2552	2484	cmd.exe	44
PID 2484 wrote to memory of 2552	2484	cmd.exe	44
PID 2484 wrote to memory of 2552	2484	cmd.exe	44
PID 2484 wrote to memory of 2960	2484	cmd.exe	45
PID 2484 wrote to memory of 2960	2484	cmd.exe	45
PID 2484 wrote to memory of 2960	2484	cmd.exe	45
PID 2484 wrote to memory of 2220	2484	cmd.exe	46
PID 2484 wrote to memory of 2220	2484	cmd.exe	46
PID 2484 wrote to memory of 2220	2484	cmd.exe	46
PID 2484 wrote to memory of 2504	2484	cmd.exe	47
PID 2484 wrote to memory of 2504	2484	cmd.exe	47
PID 2484 wrote to memory of 2504	2484	cmd.exe	47
PID 2484 wrote to memory of 2240	2484	cmd.exe	48
PID 2484 wrote to memory of 2240	2484	cmd.exe	48
PID 2484 wrote to memory of 2240	2484	cmd.exe	48
PID 2484 wrote to memory of 2228	2484	cmd.exe	49
PID 2484 wrote to memory of 2228	2484	cmd.exe	49
PID 2484 wrote to memory of 2228	2484	cmd.exe	49
PID 2484 wrote to memory of 2444	2484	cmd.exe	50
PID 2484 wrote to memory of 2444	2484	cmd.exe	50
PID 2484 wrote to memory of 2444	2484	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\702a2250f14de8a76b731bb5268ffaee83bcc4e474e4a511f9a84fbbce44f68a.exe
"C:\Users\Admin\AppData\Local\Temp\702a2250f14de8a76b731bb5268ffaee83bcc4e474e4a511f9a84fbbce44f68a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Users\Admin\AppData\Local\Temp\7zS2CAC.tmp\ngentot.bat
  "C:\Users\Admin\AppData\Local\Temp\7zS2CAC.tmp\ngentot.bat"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2F2B.tmp\2F2C.tmp\2F2D.bat C:\Users\Admin\AppData\Local\Temp\7zS2CAC.tmp\ngentot.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\system32\xcopy.exe
      xcopy "andro" "C:\FOX\01CFoxA1\Data\profile\extensions" /D /E /C /R /H /I /K /Y
      4⤵
      PID:2800
  - - C:\Windows\system32\xcopy.exe
      xcopy "andro" "C:\FOX\02CFoxA2\Data\profile\extensions" /D /E /C /R /H /I /K /Y
      4⤵
      PID:2524
  - - C:\Windows\system32\xcopy.exe
      xcopy "iphone" "C:\FOX\03CFoxI1\Data\profile\extensions" /D /E /C /R /H /I /K /Y
      4⤵
      PID:2680
  - - C:\Windows\system32\xcopy.exe
      xcopy "iphone" "C:\FOX\04CFoxI2\Data\profile\extensions" /D /E /C /R /H /I /K /Y
      4⤵
      PID:2564
  - - C:\Windows\system32\xcopy.exe
      xcopy "ipad" "C:\FOX\05CFoxP1\Data\profile\extensions" /D /E /C /R /H /I /K /Y
      4⤵
      PID:2588
  - - C:\Windows\system32\xcopy.exe
      xcopy "ipad" "C:\FOX\05CFoxP2\Data\profile\extensions" /D /E /C /R /H /I /K /Y
      4⤵
      PID:2632
  - - C:\Windows\system32\xcopy.exe
      xcopy "tab" "C:\FOX\07CFoxTB\Data\profile\extensions" /D /E /C /R /H /I /K /Y
      4⤵
      PID:2688
  - - C:\Windows\system32\xcopy.exe
      xcopy "ds" "C:\FOX\08CFoxD1\Data\profile\extensions" /D /E /C /R /H /I /K /Y
      4⤵
      PID:3008
  - - C:\Windows\system32\xcopy.exe
      xcopy "ds" "C:\FOX\09CFoxD2\Data\profile\extensions" /D /E /C /R /H /I /K /Y
      4⤵
      PID:2772
  - - C:\Windows\system32\xcopy.exe
      xcopy "ds" "C:\FOX\10CFoxD3\Data\profile\extensions" /D /E /C /R /H /I /K /Y
      4⤵
      PID:2124
  - - C:\Windows\system32\xcopy.exe
      xcopy "andro" "C:\FOX\11CFoxAP\Data\profile\extensions" /D /E /C /R /H /I /K /Y
      4⤵
      PID:2896
  - - C:\Windows\system32\xcopy.exe
      xcopy "andro" "C:\FOX\12CFoxAS\Data\profile\extensions" /D /E /C /R /H /I /K /Y
      4⤵
      PID:2552
  - - C:\Windows\system32\xcopy.exe
      xcopy "iphone" "C:\FOX\13CFoxIP\Data\profile\extensions" /D /E /C /R /H /I /K /Y
      4⤵
      PID:2960
  - - C:\Windows\system32\xcopy.exe
      xcopy "iphone" "C:\FOX\14CFoxIS\Data\profile\extensions" /D /E /C /R /H /I /K /Y
      4⤵
      PID:2220
  - - C:\Windows\system32\xcopy.exe
      xcopy "ipad" "C:\FOX\15CFoxPD\Data\profile\extensions" /D /E /C /R /H /I /K /Y
      4⤵
      PID:2504
  - - C:\Windows\system32\xcopy.exe
      xcopy "tab" "C:\FOX\16CFoxTB\Data\profile\extensions" /D /E /C /R /H /I /K /Y
      4⤵
      PID:2240
  - - C:\Windows\system32\xcopy.exe
      xcopy "ds" "C:\FOX\17CFoxDL\Data\profile\extensions" /D /E /C /R /H /I /K /Y
      4⤵
      PID:2228
  - - C:\Windows\system32\xcopy.exe
      xcopy "ds" "C:\FOX\18CFoxDM\Data\profile\extensions" /D /E /C /R /H /I /K /Y
      4⤵
      PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2F2B.tmp\2F2C.tmp\2F2D.bat

Filesize
3KB

MD5
391c36fcb487e5728c613f3a1d39f98d

SHA1
cd865abb851ce36e5786ee2bdb53b879aefa7fbe

SHA256
514c562eb947b2039e30df0a3030085777ece7b9c978bfe1f701f4f17c0deed4

SHA512
724536900deed21ca288d0a02ce8b13aac5642f9133684c1f867f8f00536d24e92a54235be8241caf20935bc3b03e2ca414edb0e12b4ed8784b0046e3b8468b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2CAC.tmp\andro\[email protected]

Filesize
4.1MB

MD5
5bedf4fcc5f2528ffe60e3ed0149fcb2

SHA1
0f4dc6ad758fec5a800bb0f17589bfe1976c346e

SHA256
ee32593baddad2d017f164df386be1eec8c25c04dbced5caef79f884b56bd385

SHA512
bc31781cbceb24553cdf3f0aab18c0d8ef959440311b948fd7fbb4c38d7ac69c80cf44bb906ec2f417c0b213976f6262ea0dd8f26896d5e4795d153dbf7757fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2CAC.tmp\ds\[email protected]

Filesize
4.1MB

MD5
3c94273a5b51678315796cbfe1602784

SHA1
6060b1b44445e8a040ec227d5ab315b1ba503f67

SHA256
1ac0bd791a821c64d88ffb9ecd423b920b90ff9556ccef2e62e148ac449293b0

SHA512
4915b91a6dcd096d5dc03afca30c7e990b939596adf1db54a0b3418c9f7c18bdeca1cc951adbbc7a4a258fa6a39345cee22f36534c17c4a4fa9bfd52530ac998

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2CAC.tmp\ipad\[email protected]

Filesize
4.1MB

MD5
8b08bdddea896f60c79ac380f2b856ac

SHA1
b7488922bea4d2561cccf4a9ac372fc66f7d61ca

SHA256
8da5743664db36c06b568166dfada12980a52ff6707a8650482b1df64d656e84

SHA512
e3ea62fe06e8475cc1882ab31913185867968e8deb220a126b41ca727311843ef9d2c1149cb1fb745f8e2175d5ddb9e66ab5cd057885c7d3ede7af35e381cc03

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2CAC.tmp\iphone\[email protected]

Filesize
4.1MB

MD5
106e2d96b5da7e644ba977720bd7303e

SHA1
921dea90ea2442d7c6289bf09829b060c73b6efe

SHA256
8e8595959e0fcf1d1be83816f987f77cc33c7c33c93465ef0bbfbf8643d0baae

SHA512
f5d4d027cade5ed7e08517fa75096378f273c9fe0324105003cf4cb3b5ab5190ce18860ddab63d616b70c0385a3793de87eff998f056dfd084abfca43661907d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2CAC.tmp\ngentot.bat

Filesize
344KB

MD5
ee054aac95b24ff7ac5b6d68ce8b437d

SHA1
6053032d050a199726b46f14c4c61b07de87d1b6

SHA256
54d0ed4b0d3a3a58177ee7aead16b791bc3b1d9e63506b43dcae6bbf03db54ac

SHA512
a04247a8ceac7f519d6f5f0a76390201ba235f4535f1a1f4532b907ad7644c67b4e7c14edebb6a8fdd2775ee272c7dc653dee7ce9e9e80e8073bc0362a0a98ec

Download Submit