Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-09-2024 07:29
Static task
static1
Behavioral task
behavioral1
Sample
broadcom5.exe
Resource
win7-20240903-en
General
-
Target
broadcom5.exe
-
Size
13.2MB
-
MD5
de5df8536b7d4d9c45fc2e9c6639f24e
-
SHA1
5394559d6e470025d886678f4d625a3d01f55d64
-
SHA256
7382e6823dc5b6f0ae9b4a67f30a6fe8dc400dfa95278ec647d06e6550ada24e
-
SHA512
b14c108ac482d54ee000b729170a765f4506ebeb1e7ebbfd7c4367e93cb1b46da642096d8191f1cea13e16b05c124fd7bdaea9323cb53c9a7b5d92629ed7ccad
-
SSDEEP
393216:7DfYtlZKIfz5Nk7uSff1yosdxz60CptWbN/33YFEr:7D2lnkaSnCd00Cps/fr
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
build_5.exebuild_5.exepid process 2408 build_5.exe 2740 build_5.exe -
Loads dropped DLL 3 IoCs
Processes:
WScript.exebuild_5.exebuild_5.exepid process 2060 WScript.exe 2408 build_5.exe 2740 build_5.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
build_5.exebuild_5.exebroadcom5.exeWScript.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language build_5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language build_5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language broadcom5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
broadcom5.exeWScript.exebuild_5.exedescription pid process target process PID 2088 wrote to memory of 2060 2088 broadcom5.exe WScript.exe PID 2088 wrote to memory of 2060 2088 broadcom5.exe WScript.exe PID 2088 wrote to memory of 2060 2088 broadcom5.exe WScript.exe PID 2088 wrote to memory of 2060 2088 broadcom5.exe WScript.exe PID 2060 wrote to memory of 2408 2060 WScript.exe build_5.exe PID 2060 wrote to memory of 2408 2060 WScript.exe build_5.exe PID 2060 wrote to memory of 2408 2060 WScript.exe build_5.exe PID 2060 wrote to memory of 2408 2060 WScript.exe build_5.exe PID 2408 wrote to memory of 2740 2408 build_5.exe build_5.exe PID 2408 wrote to memory of 2740 2408 build_5.exe build_5.exe PID 2408 wrote to memory of 2740 2408 build_5.exe build_5.exe PID 2408 wrote to memory of 2740 2408 build_5.exe build_5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\broadcom5.exe"C:\Users\Admin\AppData\Local\Temp\broadcom5.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_5.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.1MB
MD5489841193bb17bed86528363199e802d
SHA1b21527944d7f543b568aedbbe9833ffdb621b06a
SHA2569e551b2304a6d8b72f38080a717d35900365dda5ce2aea2f2b14e90eba59cd7f
SHA51285c250271c44ccafd753495356a9a1bd8d940a8c3443c51e1d8d1fbe1d79ab39226e9e18402b088ec340b05f45e0caeb8a2f7c195479e3b5e9cdbd23260405df
-
Filesize
183B
MD55bbb490df19cbff919dc8338db84f363
SHA11acb4bdbd0ff2b9c38613191c5f11e4ae35156c2
SHA256738a9b1cd2c12511e87076fefbfe39aff55278ed86b3cc32fb968078cc6e6a03
SHA5126b1ccd500347c13ac37f5b214db7717d35879cc6d4c909b7b8ecb7ce54e1cfe8b6d0202afe5edc77721f08e4f94291e8ae97abfb77cb8e758f15a62c6054d40f
-
Filesize
5.6MB
MD50eac9fa387647c388fab4239bfe5a0b5
SHA1fafb679a58b8d85b50af18a4c0a7402fa890ee39
SHA25665900b1bc22af5bb974385f7f2a8742ffd12860010cbe0aedb62ff5598998414
SHA51270042322b98681c73f83f05e03f61a8ad985944cf07633653706c9b87be738e6698099f40328058ee80d4063f8e85aba7c674c3af079cf082376fb1dc9005e86