cc24dbf72542d0a11714a208c39bd11cea37f0ffa54dcf7561c6013edfb5dbf9

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d0630d9951c1388592add3b5d0a9aa0N.exe
Size

1.2MB
MD5

4d0630d9951c1388592add3b5d0a9aa0
SHA1

94ff7081b7faa5d9946dbf7e2918bcfaa1298443
SHA256

cc24dbf72542d0a11714a208c39bd11cea37f0ffa54dcf7561c6013edfb5dbf9
SHA512

100e7b29b656c46fdfde80ae058499e7cc6731fa085f6352ead215d6b94a2caaf40453b9236ed74e2069559a10ec5af2217fb4f832081f098deae2fbd7b494da
SSDEEP

24576:+6dDqPk/QYdMTP2bwrwUFbUfpBsB5mMDxtGXY:nqyaUIWgtGXY

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2480	EXECAFD.tmp

Loads dropped DLL 2 IoCs

pid	Process
1864	4d0630d9951c1388592add3b5d0a9aa0N.exe
1864	4d0630d9951c1388592add3b5d0a9aa0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d0630d9951c1388592add3b5d0a9aa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXECAFD.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2480	EXECAFD.tmp
2480	EXECAFD.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 2480	1864	4d0630d9951c1388592add3b5d0a9aa0N.exe	30
PID 1864 wrote to memory of 2480	1864	4d0630d9951c1388592add3b5d0a9aa0N.exe	30
PID 1864 wrote to memory of 2480	1864	4d0630d9951c1388592add3b5d0a9aa0N.exe	30
PID 1864 wrote to memory of 2480	1864	4d0630d9951c1388592add3b5d0a9aa0N.exe	30
PID 2480 wrote to memory of 2348	2480	EXECAFD.tmp	31
PID 2480 wrote to memory of 2348	2480	EXECAFD.tmp	31
PID 2480 wrote to memory of 2348	2480	EXECAFD.tmp	31
PID 2480 wrote to memory of 2348	2480	EXECAFD.tmp	31

C:\Users\Admin\AppData\Local\Temp\4d0630d9951c1388592add3b5d0a9aa0N.exe
"C:\Users\Admin\AppData\Local\Temp\4d0630d9951c1388592add3b5d0a9aa0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Users\Admin\AppData\Local\Temp\EXECAFD.tmp
  "C:\Users\Admin\AppData\Local\Temp\EXECAFD.tmp" "C:\Users\Admin\AppData\Local\Temp\OFMCAFE.tmp" "C:\Users\Admin\AppData\Local\Temp\4d0630d9951c1388592add3b5d0a9aa0N.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OFMCAFE.tmp

Filesize
800KB

MD5
1fc6b70938f74ddecf3eca163962db3a

SHA1
676a0147c0c5487641e066912866805655a7a3e2

SHA256
512f860595a607177017c30dfe666d213a03a707eb35eace338531ac8fe43e19

SHA512
9cd927d13ba07be60e3a61cf5cd09676a7c7b45c351a7d8f16b38d68d77d7db2fb89e2f5bfde1cdeb532ddb3ee7f4fdd1e17f4336bb20909d67e9a3800fb96c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMPE8FC.tmp

Filesize
53KB

MD5
3f799347ea0fe0c10ff1868eee5505d8

SHA1
8a06c9208cd2849ecc09cfffae1ea49a3e4d0c36

SHA256
b6ba8f9f4678f2ae20bdb82d8a5760a491e746ca8d433b84f4b258f445bc1123

SHA512
e419b9bbd824386c4a8d7c3e05f06c2d204ebde1084c9b33f4e4cdfdee5f0b6d07283aca14e03d445cd832ff102bbd17f4f7326b2c3c3fa30d1e7ad081f749c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMPE8FF.tmp

Filesize
115KB

MD5
97b69ff071dea9f22096a4d42b4e79df

SHA1
16300c59a3f91505f415613283f6b8c5b0279b0f

SHA256
b5e36af18d7dd86545bec90bd77decf4a13500ed034d868c555f85fabff3672c

SHA512
f91f792008d5ffd9577dc756e022b132eeb1732ce8dffc40eca40d09df534de8ecc77129e62ce0c381fd5ee9f6c5bc120645e3ca8dae5dfdbc176c804919cd69

Download Submit
\Users\Admin\AppData\Local\Temp\EXECAFD.tmp

Filesize
980KB

MD5
34cabedafaf5ce498d245242ac48670e

SHA1
7a78f2a64618448f8118203f3c7225f6f84622d0

SHA256
6dbefd357dc6ad020b5f4c7597312029094bdf9cc08bf2ae911bb2617ab28b39

SHA512
6801b911e4272093129cea416d4e8334250f6d393b4d634d251c22922f5c1906516cf53e2958011e7cb3e2a3e86ba74ea2547bbbcaba210db375ac0a6152fe18

Download Submit