0be377afce39eda818e9b7fae2a24acc0841020c12e74b8f9e0f282e0890713b

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 12:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

88636cc96dff35b3291d546b839ae780N.exe
Size

286KB
MD5

88636cc96dff35b3291d546b839ae780
SHA1

bdf9e69cafcabcbf5956b0762038cf32020d6a2a
SHA256

0be377afce39eda818e9b7fae2a24acc0841020c12e74b8f9e0f282e0890713b
SHA512

71da16abeeb412791c7a158b5d00770cb130d4e176df76b7244aa46af022ca5e78bb205df37d0dc4aa7f897792d3303ced0eee3c75acf1fd8ebfba665a67ea36
SSDEEP

6144:YyZcAuFcCf38XolyxnDFJ6VtgbfWrZbe86lfoy7Hvmrxd5UvBBUDygCka:xTOcCf6ylgbfW1e8GgyDOrxd5YBBITNa

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2004	SDFormatter.exe

Loads dropped DLL 2 IoCs

pid	Process
1720	88636cc96dff35b3291d546b839ae780N.exe
2004	SDFormatter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88636cc96dff35b3291d546b839ae780N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SDFormatter.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2004	SDFormatter.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2004	SDFormatter.exe
2004	SDFormatter.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2004	1720	88636cc96dff35b3291d546b839ae780N.exe	30
PID 1720 wrote to memory of 2004	1720	88636cc96dff35b3291d546b839ae780N.exe	30
PID 1720 wrote to memory of 2004	1720	88636cc96dff35b3291d546b839ae780N.exe	30
PID 1720 wrote to memory of 2004	1720	88636cc96dff35b3291d546b839ae780N.exe	30

C:\Users\Admin\AppData\Local\Temp\88636cc96dff35b3291d546b839ae780N.exe
"C:\Users\Admin\AppData\Local\Temp\88636cc96dff35b3291d546b839ae780N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\SDFormatter.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\SDFormatter.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DLL32NT.DLL

Filesize
93KB

MD5
0bbe52f0758ad49ca191d81b198b53d0

SHA1
88f866e0fb732870e1f53ba21f1358dc2c150fef

SHA256
8f448c0c771fb95ea39d2e42595f556ea88d9ecfc3055d4af5ff99b995a58b2c

SHA512
a57d0223d0bb89b83d13aa3c07be13d105d95363a1e9350a222ccd34aed86845a51263a2012988eed8eeeb0ec31da576b4221468d1ed709f39ec6d3d20e084a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\SDFormatter.exe

Filesize
1.1MB

MD5
dfcba29a5a6637fa0a8196c086a13371

SHA1
d695c45792c6aaba1e547242c9ac4ec893ae4590

SHA256
fc7a63a67fd636934199af02b5e3e1672cc5d3ea17336bcff6a2f073f2cf50cf

SHA512
99e0c8fff7e571c2b4c410254fffd7a3e3999010b3634b924e798947106701000f87153286da033e91849288e42902b9033975af7c021bce2f7b144fe470e114

Download Submit