01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe
Size

96KB
MD5

055a7ec43353689f06dd3498947e1052
SHA1

e83a709c3fc729a8480ad40953c88db4ef51a2da
SHA256

01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9
SHA512

485bdffb0c500cfa5c6d4e3570c97032160b1e6944ff43e18113994d272d4a0235e5b6763fd6df3afb78ad7a7df7d90d9288ec7d07b5d1a80382a4223f8dab37
SSDEEP

3072:lbjgjXxdWBhMwRFy2Rk/kcIAebPph/ATvYKyUDI7Lurc:lfAXxd0qf2L/ATvryOI7ac

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2704	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
2504	rMX.exe
792	rMX.exe.exe

Loads dropped DLL 4 IoCs

pid	Process
2112	01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe
2112	01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe
2684	cmd.exe
2684	cmd.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe.exe	rMX.exe
File opened for modification	\??\c:\windows\nk.txt	cmd.exe
File created	C:\WINDOWS\VWFLH\rMX.exe	01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe	01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe
File created	\??\c:\windows\rMX.exe.bat	rMX.exe
File created	C:\WINDOWS\VWFLH\rMX.exe.exe	rMX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rMX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rMX.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2504	2112	01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe	30
PID 2112 wrote to memory of 2504	2112	01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe	30
PID 2112 wrote to memory of 2504	2112	01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe	30
PID 2112 wrote to memory of 2504	2112	01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe	30
PID 2504 wrote to memory of 2368	2504	rMX.exe	31
PID 2504 wrote to memory of 2368	2504	rMX.exe	31
PID 2504 wrote to memory of 2368	2504	rMX.exe	31
PID 2504 wrote to memory of 2368	2504	rMX.exe	31
PID 2504 wrote to memory of 2684	2504	rMX.exe	32
PID 2504 wrote to memory of 2684	2504	rMX.exe	32
PID 2504 wrote to memory of 2684	2504	rMX.exe	32
PID 2504 wrote to memory of 2684	2504	rMX.exe	32
PID 2112 wrote to memory of 2268	2112	01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe	34
PID 2112 wrote to memory of 2268	2112	01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe	34
PID 2112 wrote to memory of 2268	2112	01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe	34
PID 2112 wrote to memory of 2268	2112	01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe	34
PID 2684 wrote to memory of 792	2684	cmd.exe	37
PID 2684 wrote to memory of 792	2684	cmd.exe	37
PID 2684 wrote to memory of 792	2684	cmd.exe	37
PID 2684 wrote to memory of 792	2684	cmd.exe	37
PID 792 wrote to memory of 2856	792	rMX.exe.exe	38
PID 792 wrote to memory of 2856	792	rMX.exe.exe	38
PID 792 wrote to memory of 2856	792	rMX.exe.exe	38
PID 792 wrote to memory of 2856	792	rMX.exe.exe	38
PID 2268 wrote to memory of 2704	2268	cmd.exe	40
PID 2268 wrote to memory of 2704	2268	cmd.exe	40
PID 2268 wrote to memory of 2704	2268	cmd.exe	40
PID 2268 wrote to memory of 2704	2268	cmd.exe	40
PID 2856 wrote to memory of 2836	2856	cmd.exe	41
PID 2856 wrote to memory of 2836	2856	cmd.exe	41
PID 2856 wrote to memory of 2836	2856	cmd.exe	41
PID 2856 wrote to memory of 2836	2856	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe
"C:\Users\Admin\AppData\Local\Temp\01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\WINDOWS\VWFLH\rMX.exe
  C:\WINDOWS\VWFLH\rMX.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo 0>>c:\windows\nk.txt
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\WINDOWS\VWFLH\rMX.exe.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\WINDOWS\VWFLH\rMX.exe.exe
      C:\WINDOWS\VWFLH\rMX.exe.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:792
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\11.vbs
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2856
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\11.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\76.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\76.vbs"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\11.vbs

Filesize
162B

MD5
17c488b984ebb137a938b5785621f537

SHA1
69d32ac59b5a0e56041845cee0cbc655ebe1a7d8

SHA256
e8fc4ca5669caad8bf0faf36ae755febc30ec96082c54881e575325d02082630

SHA512
af65b54b8d749cd67a83a702ed91ef08c3e2f882b31aadef21eb624ec511d9bfcb9b765ccdb9d67f8dde845e8611859c85abaa37cfd797ed31bb533a45f97893

Download Submit
C:\76.vbs

Filesize
236B

MD5
83895f7c02a4da4fd1a036c869265ab5

SHA1
95ab9661e9e3d36219c9deed19ed32d51206cbea

SHA256
bd29b42218ca55b25e07b1927ce340e7d67582561e18ad4923fa773a2bf0de8a

SHA512
cb388c859eda358978336ae239dc3f9b0794ef742ca2b38e8a03ceacb5a43bc9a4d0204f9c4b513393c52fb4be22e4b4aa8934d21c2302d07aecf99fd8dedcd2

Download Submit
C:\WINDOWS\VWFLH\rMX.exe.exe

Filesize
96KB

MD5
be29c1ba5e792d59ac3a02bcfe10205e

SHA1
f4581d9ff66ebee2d8bbf918171382f3bd40f14d

SHA256
e0bd8ce0c6a83c470a02975da75f7ac0e9ced103a58c5fb290c8f7057e9754c8

SHA512
655d331b5da6fc7d7534df171152842c481c817686c31c134355f839675870ccbaf3e1ff74bf0b7273bc7227678ea7a3b032b82d27fa023597c752fc737aeea5

Download Submit
\Windows\VWFLH\rMX.exe

Filesize
96KB

MD5
055a7ec43353689f06dd3498947e1052

SHA1
e83a709c3fc729a8480ad40953c88db4ef51a2da

SHA256
01880df7409a02cdd00a9d34992b93ccbed0db46ab4f9dddc1199e11c1f61fa9

SHA512
485bdffb0c500cfa5c6d4e3570c97032160b1e6944ff43e18113994d272d4a0235e5b6763fd6df3afb78ad7a7df7d90d9288ec7d07b5d1a80382a4223f8dab37

Download Submit
memory/792-28-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/2112-15-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/2504-13-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download