5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f

Analysis

max time kernel
150s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe
Size

2.3MB
MD5

c448e7ba48015f2161bcdc520efdd0be
SHA1

9ad690b77c7809b44d7816ea2d0dfdae05a82989
SHA256

5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f
SHA512

b41371f280bc93a58233f0623b6321e364e722977e99529b025bf9d2d8a43ad32d577bf8b007f3698471cf0af5376d5e4e2369ee407a9bfdab4b7e24d9a17a16
SSDEEP

49152:6kQTAQfGuxOtReiPjyuECu02Qo81wnXy1DQnC:6ayxOTVeXTQrwilQnC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2780	ren.exe
2556	uHaR0zLcjq.exe

Loads dropped DLL 4 IoCs

pid	Process
1424	5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe
1424	5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe
2780	ren.exe
2556	uHaR0zLcjq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uHaR0zLcjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ren.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1424	5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe
1424	5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe
2780	ren.exe
2780	ren.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe
2556	uHaR0zLcjq.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2780	ren.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1424	5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe
Token: SeDebugPrivilege	2780	ren.exe
Token: SeDebugPrivilege	2556	uHaR0zLcjq.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 2780	1424	5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe	29
PID 1424 wrote to memory of 2780	1424	5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe	29
PID 1424 wrote to memory of 2780	1424	5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe	29
PID 1424 wrote to memory of 2780	1424	5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe	29
PID 2780 wrote to memory of 2556	2780	ren.exe	30
PID 2780 wrote to memory of 2556	2780	ren.exe	30
PID 2780 wrote to memory of 2556	2780	ren.exe	30
PID 2780 wrote to memory of 2556	2780	ren.exe	30

C:\Users\Admin\AppData\Local\Temp\5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe
"C:\Users\Admin\AppData\Local\Temp\5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\AppData\Local\Temp\ren.exe
  "C:\Users\Admin\AppData\Local\Temp\ren.exe" C:\Users\Admin\AppData\Local\Temp\5499f1666140a15d197578099b296075b7b9c76a3714daba521139d6b479394f.exe 1424
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Local\Temp\uHaR0zLcjq.exe
    "C:\Users\Admin\AppData\Local\Temp\uHaR0zLcjq.exe" run 2780
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\uHaR0zLcjq.exe

Filesize
2.3MB

MD5
672365dc12ed9cb67d87a1c2bec793bf

SHA1
9b1790840b7fb90a432785d14360fd4212218523

SHA256
00e6139175c16eb631fba2ee133365eb8ab1d0f764e921cc145096a9dda25c3b

SHA512
e498ff7a4c29171a2b66602a3289d9d0d3263731627531961674430d78f6ca2b54c47df301cd175a61ed1a39b10d14d58fe20a4babb65ddf4741e389abd608dc

Download Submit
\Users\Admin\AppData\Local\Temp\GeinNet.dll

Filesize
67KB

MD5
b48ee45a24990664d7392baeef2fe115

SHA1
04f6578a3b2461938b48f5bf9c6160a209cd30c4

SHA256
2100f1991075959c04fb3f5acb994cc229f47523fddd7357887135ea27624a94

SHA512
c960f132567a6c0030f23a6fc48ac19cc4db59b9852adb2253ebbaf837257e2cc5baf7e6598a2d58f6fe94bd7743ff124cc6b79fcabe658847caa0f3b796cfbb

Download Submit
\Users\Admin\AppData\Local\Temp\ren.exe

Filesize
180KB

MD5
f636949e31ebde732ed742647d114aef

SHA1
ea8f00281cad5554be7e0f9399c7575e40ee5eeb

SHA256
73f6b7c9d2c8bd72ff05b9476fe13c31d81a62304e33951282837de59090ad52

SHA512
e81b5eb76a9bf11dabc444f33f0293b0099d409b9256ce33793e89cac80244899561d575d2b9136a53d5b30dfb980576fbf58402ad5f7c36544273bc87966715

Download Submit
memory/1424-0-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

Filesize
4KB

Download
memory/1424-1-0x00000000052E0000-0x000000000552A000-memory.dmp

Filesize
2.3MB

Download
memory/1424-2-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/1424-4-0x0000000005090000-0x00000000052D8000-memory.dmp

Filesize
2.3MB

Download
memory/1424-3-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/1424-5-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/1424-6-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-13-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-15-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-17-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-9-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-19-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-7-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-21-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-11-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-23-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-61-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-25-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-27-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-29-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-31-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-33-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-35-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-37-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-39-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-41-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-43-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-45-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-47-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-49-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-51-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-69-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-67-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-873-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/1424-872-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/1424-65-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-63-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-59-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-57-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-55-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-53-0x0000000005090000-0x00000000052D2000-memory.dmp

Filesize
2.3MB

Download
memory/1424-875-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

Filesize
4KB

Download
memory/1424-876-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/1424-874-0x0000000005CA0000-0x0000000005E62000-memory.dmp

Filesize
1.8MB

Download
memory/1424-886-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/2780-887-0x00000000004E0000-0x00000000004FC000-memory.dmp

Filesize
112KB

Download
memory/2780-888-0x0000000001F70000-0x0000000001F8C000-memory.dmp

Filesize
112KB

Download
memory/2780-889-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/2780-890-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/2780-891-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/2780-898-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/2780-896-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/2780-1043-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download