52f1fc949fa7aaecee673843cd904238f9cf879c6455aff739c18aa0b39e36f6

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.8MB
MD5

9ab5db4bb5971035b4d287d64f9676b5
SHA1

33d17f016339572dd05c124d6243fffefd0cd039
SHA256

f2126481c02d2a5af29e56023902a0897d05867c1caaf8079cf6e1f05dd9b209
SHA512

d36262fdd4d8bd083d8537f0698c423240c9e42b2dc0048e2470d87411f295d6e3428587b76b0486875495d502f1f31f9edf3eb6fdb914f13421b7f29fa5f066
SSDEEP

49152:G0BIrT/YNRoLlps7tZokvTopSdmX4Foni7iMmdc:GbTRps7Xj

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$_3_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2012	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2012	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2820	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2820	$_3_.exe
2820	$_3_.exe
2820	$_3_.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 752	2820	$_3_.exe	31
PID 2820 wrote to memory of 752	2820	$_3_.exe	31
PID 2820 wrote to memory of 752	2820	$_3_.exe	31
PID 2820 wrote to memory of 752	2820	$_3_.exe	31
PID 752 wrote to memory of 2012	752	cmd.exe	33
PID 752 wrote to memory of 2012	752	cmd.exe	33
PID 752 wrote to memory of 2012	752	cmd.exe	33
PID 752 wrote to memory of 2012	752	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\16070.bat" "C:\Users\Admin\AppData\Local\Temp\EC6C7EAFC07B403CBC9B5DDAAF124012\""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3434294380-2554721341-1919518612-1000\$I6ESMHL

Filesize
544B

MD5
ec62973a3d19ec70ca5b9942c3e46c3b

SHA1
677a9659aaaa7d197f9ff0d29322bbf5b94319b2

SHA256
046d7c87af028855696ec76a97542328e120f9b716a08dc7019222aa727d651d

SHA512
d48b4a4788c26c466d9ff2ce7730d667079cc06a5c3640764b4261b173e705257b913c0413f81c644e6ed5a52e6790ff119346daa219c9f16252dd5c8b439d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\16070.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC6C7EAFC07B403CBC9B5DDAAF124012\EC6C7EAFC07B403CBC9B5DDAAF124012_LogFile.txt

Filesize
9KB

MD5
2624d8739825a67ce1162ad37bb769a3

SHA1
f9c88d1ccd3f1ce090cd9e43ce1d54705e1273f4

SHA256
156dfa91f33d2e69137b6e3e84257196b7b3132115363d99fa75d270e3a1cfa8

SHA512
7b19d1d750953f4e5d58a95d9c5e509e5eeb7b1df70baa890b6ee998b8b0f4a81f9e25ac0daba8411b4e9f3e95a3e3ea7a34c762ce54a978d91b752d713e3c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC6C7EAFC07B403CBC9B5DDAAF124012\EC6C7E~1.TXT

Filesize
125KB

MD5
a5f35fdcf51d48703146b25760cdb715

SHA1
d77080fabee35f097f88bd6bf475b47eb5403815

SHA256
15c16b94e6006466460bd44d2a94debed1ef2f43bba265aaffa7a60f9ccb9ed0

SHA512
06fb03c18c50ea4b6a6c85787dda952945c295872991bba4069db7bb723660d4d24d54e0a40e0a8ffeb2c4d09925ebfa7953dfa08b9f2a2cda372edd859871e2

Download Submit
memory/2820-67-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download