1c22dcb575a1dbb2a812d3a8e400bc70053ecc8e01504094db7f6e0161218d1b

Analysis

max time kernel
113s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60664e5230f58890ff12552c3775d0d0N.exe
Size

384KB
MD5

60664e5230f58890ff12552c3775d0d0
SHA1

dfb69bf6036265233b7b09cdc2f40fc26feb1d36
SHA256

1c22dcb575a1dbb2a812d3a8e400bc70053ecc8e01504094db7f6e0161218d1b
SHA512

6b00d15b984769d567e1d347f3ec2bc833f4d0d8063f279ed2f44e9f859c92bcdee55d05d9ee14374efb35b0b71b327b1dde16d6f432e1268cf5e1d95f092c6e
SSDEEP

6144:QYTUD0v6332Ace4Xd3kEjiPISUOgW9X+hOGzC/NM:QYTUDxMd3kmZzcukG2/

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2196	SQL.exe

Loads dropped DLL 2 IoCs

pid	Process
2320	cmd.exe
2320	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\system\SQL.exe	60664e5230f58890ff12552c3775d0d0N.exe
File opened for modification	C:\windows\system\SQL.exe	60664e5230f58890ff12552c3775d0d0N.exe
File created	C:\windows\system\SQL.exe.bat	60664e5230f58890ff12552c3775d0d0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60664e5230f58890ff12552c3775d0d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SQL.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2732	60664e5230f58890ff12552c3775d0d0N.exe
2196	SQL.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2732	60664e5230f58890ff12552c3775d0d0N.exe
2732	60664e5230f58890ff12552c3775d0d0N.exe
2196	SQL.exe
2196	SQL.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2320	2732	60664e5230f58890ff12552c3775d0d0N.exe	30
PID 2732 wrote to memory of 2320	2732	60664e5230f58890ff12552c3775d0d0N.exe	30
PID 2732 wrote to memory of 2320	2732	60664e5230f58890ff12552c3775d0d0N.exe	30
PID 2732 wrote to memory of 2320	2732	60664e5230f58890ff12552c3775d0d0N.exe	30
PID 2320 wrote to memory of 2196	2320	cmd.exe	32
PID 2320 wrote to memory of 2196	2320	cmd.exe	32
PID 2320 wrote to memory of 2196	2320	cmd.exe	32
PID 2320 wrote to memory of 2196	2320	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\60664e5230f58890ff12552c3775d0d0N.exe
"C:\Users\Admin\AppData\Local\Temp\60664e5230f58890ff12552c3775d0d0N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system\SQL.exe.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\windows\system\SQL.exe
    C:\windows\system\SQL.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\SQL.exe.bat

Filesize
66B

MD5
092196b4d8bca2d749cd647b96a1670e

SHA1
911d456d1f076fe260875efb37f58984fa0cfd0b

SHA256
ec7254724ed261b2a54b0a8be031fc1c0bf20d524bfffe98a45652c1dc791c65

SHA512
09cb1d221d51badff8d5a31c18d5273e829ff582ca6c9d1efdff252a24a77747c8c7c787baa59a36286a9fae9bfc62f89f06ea7802764fff580b745e6bb94049

Download Submit
\Windows\system\SQL.exe

Filesize
384KB

MD5
eeda45cfe081119dfae2720e72150f68

SHA1
eb94bbd479cfc90072ef7bf247805c3e88bfa14b

SHA256
d1d430069033e44db302c6e02b49b3f111d743387cb25cdb7992f0d02dbd40e3

SHA512
e0a19743ca3db023067ee11c2ff0b02da6a2ab093d20173f79d01ad60b1e465fdab35012169ec0c0b688c74d2fa42b3223b8d4dd323d9e7fcba45f932ac2447a

Download Submit
memory/2196-18-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2196-19-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2732-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2732-12-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download