c9c1c9d8c5c465c59ce50607411a883c3a887083076e901d5e0459cace755732

Analysis

max time kernel
150s
max time network
15s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-09-2024 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9c1c9d8c5c465c59ce50607411a883c3a887083076e901d5e0459cace755732.exe
Size

176KB
MD5

52686d1c3b446c9197009865851089ee
SHA1

2d16c723401d6f0544b71e19c300a5a8400725d4
SHA256

c9c1c9d8c5c465c59ce50607411a883c3a887083076e901d5e0459cace755732
SHA512

a64a6f9a9aff6fef72998f0cac373efa8fd3c6f5c3a579b2b5279b1d572497989f7fdff5f14b97ceaaf153451b1db4a4bdc30a6aa98203886f07ed6c61b02aa9
SSDEEP

3072:c9E4Wgbr57BVFqmx1E9Hqmz674Qbf6xET/nhqCoNWDY1TuDBujfgY1LRQBAhHuYK:O0MJBVlx+Vf274Q2xqhxoNH1Ti5YtuY

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2804	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2648	DpiSdiag.exe
2768	~930C.tmp
2800	Netpdctr.exe

Loads dropped DLL 3 IoCs

pid	Process
2876	c9c1c9d8c5c465c59ce50607411a883c3a887083076e901d5e0459cace755732.exe
2876	c9c1c9d8c5c465c59ce50607411a883c3a887083076e901d5e0459cace755732.exe
2648	DpiSdiag.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\getmrver = "C:\\Users\\Admin\\AppData\\Roaming\\forfubst\\DpiSdiag.exe"	c9c1c9d8c5c465c59ce50607411a883c3a887083076e901d5e0459cace755732.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Netpdctr.exe	c9c1c9d8c5c465c59ce50607411a883c3a887083076e901d5e0459cace755732.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9c1c9d8c5c465c59ce50607411a883c3a887083076e901d5e0459cace755732.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DpiSdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Netpdctr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2648	DpiSdiag.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE
2800	Netpdctr.exe
1192	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2648	2876	c9c1c9d8c5c465c59ce50607411a883c3a887083076e901d5e0459cace755732.exe	30
PID 2876 wrote to memory of 2648	2876	c9c1c9d8c5c465c59ce50607411a883c3a887083076e901d5e0459cace755732.exe	30
PID 2876 wrote to memory of 2648	2876	c9c1c9d8c5c465c59ce50607411a883c3a887083076e901d5e0459cace755732.exe	30
PID 2876 wrote to memory of 2648	2876	c9c1c9d8c5c465c59ce50607411a883c3a887083076e901d5e0459cace755732.exe	30
PID 2648 wrote to memory of 2768	2648	DpiSdiag.exe	31
PID 2648 wrote to memory of 2768	2648	DpiSdiag.exe	31
PID 2648 wrote to memory of 2768	2648	DpiSdiag.exe	31
PID 2648 wrote to memory of 2768	2648	DpiSdiag.exe	31
PID 2768 wrote to memory of 1192	2768	~930C.tmp	21
PID 2876 wrote to memory of 2804	2876	c9c1c9d8c5c465c59ce50607411a883c3a887083076e901d5e0459cace755732.exe	33
PID 2876 wrote to memory of 2804	2876	c9c1c9d8c5c465c59ce50607411a883c3a887083076e901d5e0459cace755732.exe	33
PID 2876 wrote to memory of 2804	2876	c9c1c9d8c5c465c59ce50607411a883c3a887083076e901d5e0459cace755732.exe	33
PID 2876 wrote to memory of 2804	2876	c9c1c9d8c5c465c59ce50607411a883c3a887083076e901d5e0459cace755732.exe	33
PID 2804 wrote to memory of 2720	2804	cmd.exe	35
PID 2804 wrote to memory of 2720	2804	cmd.exe	35
PID 2804 wrote to memory of 2720	2804	cmd.exe	35
PID 2804 wrote to memory of 2720	2804	cmd.exe	35

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2720	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1192
- C:\Users\Admin\AppData\Local\Temp\c9c1c9d8c5c465c59ce50607411a883c3a887083076e901d5e0459cace755732.exe
  "C:\Users\Admin\AppData\Local\Temp\c9c1c9d8c5c465c59ce50607411a883c3a887083076e901d5e0459cace755732.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Users\Admin\AppData\Roaming\forfubst\DpiSdiag.exe
    "C:\Users\Admin\AppData\Roaming\forfubst\DpiSdiag.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\~930C.tmp
      "C:\Users\Admin\AppData\Local\Temp\~930C.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    /C 259494980.cmd
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "c9c1c9d8c5c465c59ce50607411a883c3a887083076e901d5e0459cace755732.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2720

C:\Windows\SysWOW64\Netpdctr.exe
C:\Windows\SysWOW64\Netpdctr.exe -k
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259494980.cmd

Filesize
291B

MD5
d09867e4096cd40190c058f6044b9521

SHA1
993a05da2694bb41e63fbb81968fdc640328a378

SHA256
806d6b9c12ff2bb607102d6e1f80165ff414de3b91fc35671c26be60074dec79

SHA512
0b96322ef59f39d41d80047cd78e6b3280bf324d22c7cda8880a5961eae750ce7b740b5ec337f64d131c504ec709967a3cc15aa0df611c80b33717df1574a592

Download Submit
C:\Users\Admin\AppData\Local\Temp\~930C.tmp

Filesize
6KB

MD5
e7f21a5d32db182a8bf0ce2f6436801f

SHA1
41563cb93907690210aa1682b16986d87c408932

SHA256
908443dfd04fb3bab8aa813233d564cc865309982913340426b6bf1883d6bb92

SHA512
0bd96fc847a82b51a988e5e8b05185c9c04fc4ecafcd96e6c8a2e30c01484544fc3520309d566cf847b07518908a56f62cdf5c43e0faab2e245c193080b9142f

Download Submit
C:\Windows\SysWOW64\Netpdctr.exe

Filesize
176KB

MD5
52686d1c3b446c9197009865851089ee

SHA1
2d16c723401d6f0544b71e19c300a5a8400725d4

SHA256
c9c1c9d8c5c465c59ce50607411a883c3a887083076e901d5e0459cace755732

SHA512
a64a6f9a9aff6fef72998f0cac373efa8fd3c6f5c3a579b2b5279b1d572497989f7fdff5f14b97ceaaf153451b1db4a4bdc30a6aa98203886f07ed6c61b02aa9

Download Submit
\Users\Admin\AppData\Roaming\forfubst\DpiSdiag.exe

Filesize
176KB

MD5
bfa0a72a2380752db6c6476504b7f524

SHA1
9662850d1c8282f4c5d5df4cb41c2464f2b4bd41

SHA256
60c916bd78674dc3f60bc03fa9b3dc01de1a70451a0e62a5f6eea8b5034ce3b7

SHA512
d6ac3d969e52945aa822c447b513bf2a744eec49ad49b1f3666840895c235d66bb2c2b440cf3b159d1743e69aa90e547c5d58d2778eeab837b4b61875af46563

Download Submit
memory/1192-20-0x0000000002240000-0x0000000002283000-memory.dmp

Filesize
268KB

Download
memory/1192-17-0x0000000002240000-0x0000000002283000-memory.dmp

Filesize
268KB

Download
memory/1192-21-0x0000000002240000-0x0000000002283000-memory.dmp

Filesize
268KB

Download
memory/1192-16-0x0000000002240000-0x0000000002283000-memory.dmp

Filesize
268KB

Download
memory/2648-11-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download
memory/2800-27-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download
memory/2800-30-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download
memory/2800-29-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download
memory/2876-0-0x0000000000140000-0x0000000000180000-memory.dmp

Filesize
256KB

Download