f6df63c031b23c4fc8f3d235284539fa4745086388e10e2d226564dea47ab54a

Resubmissions

25/09/2024, 14:02

240925-rcfzaasenf 8

25/09/2024, 14:02

240925-rb6tbaygpk 8

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55f813b368e7834f7f692c2e2451b8f2.exe
Size

37KB
MD5

55f813b368e7834f7f692c2e2451b8f2
SHA1

3ff5aee5e0acd936ddabe4ec6113744988d526d3
SHA256

f6df63c031b23c4fc8f3d235284539fa4745086388e10e2d226564dea47ab54a
SHA512

941663b113c4fb35ccae4428bf37717c78e96ea832c9700de92741f39c1cef65bd2adbf1ae4138ba5d3d97e9f8381b50425a6f7d760ca1f49e33a6305ae9074b
SSDEEP

384:d4so92aul8VctMCqTX3xAkSVE6B95rfRqzhBaSUR4WVJl/vrseE7+Db9/:d4s6ulPg6XO66WRqGB

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1944	RuntimeBrokers.exe

Loads dropped DLL 1 IoCs

pid	Process
2788	RegAsm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	pastebin.com
6	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1488 set thread context of 2788	1488	55f813b368e7834f7f692c2e2451b8f2.exe	35

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBrokers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55f813b368e7834f7f692c2e2451b8f2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1488	55f813b368e7834f7f692c2e2451b8f2.exe
1488	55f813b368e7834f7f692c2e2451b8f2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	55f813b368e7834f7f692c2e2451b8f2.exe
Token: SeDebugPrivilege	2788	RegAsm.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2780	1488	55f813b368e7834f7f692c2e2451b8f2.exe	31
PID 1488 wrote to memory of 2780	1488	55f813b368e7834f7f692c2e2451b8f2.exe	31
PID 1488 wrote to memory of 2780	1488	55f813b368e7834f7f692c2e2451b8f2.exe	31
PID 1488 wrote to memory of 2780	1488	55f813b368e7834f7f692c2e2451b8f2.exe	31
PID 2780 wrote to memory of 2692	2780	csc.exe	33
PID 2780 wrote to memory of 2692	2780	csc.exe	33
PID 2780 wrote to memory of 2692	2780	csc.exe	33
PID 2780 wrote to memory of 2692	2780	csc.exe	33
PID 1488 wrote to memory of 2828	1488	55f813b368e7834f7f692c2e2451b8f2.exe	34
PID 1488 wrote to memory of 2828	1488	55f813b368e7834f7f692c2e2451b8f2.exe	34
PID 1488 wrote to memory of 2828	1488	55f813b368e7834f7f692c2e2451b8f2.exe	34
PID 1488 wrote to memory of 2828	1488	55f813b368e7834f7f692c2e2451b8f2.exe	34
PID 1488 wrote to memory of 2828	1488	55f813b368e7834f7f692c2e2451b8f2.exe	34
PID 1488 wrote to memory of 2828	1488	55f813b368e7834f7f692c2e2451b8f2.exe	34
PID 1488 wrote to memory of 2828	1488	55f813b368e7834f7f692c2e2451b8f2.exe	34
PID 1488 wrote to memory of 2788	1488	55f813b368e7834f7f692c2e2451b8f2.exe	35
PID 1488 wrote to memory of 2788	1488	55f813b368e7834f7f692c2e2451b8f2.exe	35
PID 1488 wrote to memory of 2788	1488	55f813b368e7834f7f692c2e2451b8f2.exe	35
PID 1488 wrote to memory of 2788	1488	55f813b368e7834f7f692c2e2451b8f2.exe	35
PID 1488 wrote to memory of 2788	1488	55f813b368e7834f7f692c2e2451b8f2.exe	35
PID 1488 wrote to memory of 2788	1488	55f813b368e7834f7f692c2e2451b8f2.exe	35
PID 1488 wrote to memory of 2788	1488	55f813b368e7834f7f692c2e2451b8f2.exe	35
PID 1488 wrote to memory of 2788	1488	55f813b368e7834f7f692c2e2451b8f2.exe	35
PID 1488 wrote to memory of 2788	1488	55f813b368e7834f7f692c2e2451b8f2.exe	35
PID 1488 wrote to memory of 2788	1488	55f813b368e7834f7f692c2e2451b8f2.exe	35
PID 1488 wrote to memory of 2788	1488	55f813b368e7834f7f692c2e2451b8f2.exe	35
PID 1488 wrote to memory of 2788	1488	55f813b368e7834f7f692c2e2451b8f2.exe	35
PID 2788 wrote to memory of 1944	2788	RegAsm.exe	37
PID 2788 wrote to memory of 1944	2788	RegAsm.exe	37
PID 2788 wrote to memory of 1944	2788	RegAsm.exe	37
PID 2788 wrote to memory of 1944	2788	RegAsm.exe	37

C:\Users\Admin\AppData\Local\Temp\55f813b368e7834f7f692c2e2451b8f2.exe
"C:\Users\Admin\AppData\Local\Temp\55f813b368e7834f7f692c2e2451b8f2.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\22j12wr2\22j12wr2.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0A6.tmp" "c:\Users\Admin\AppData\Local\Temp\22j12wr2\CSC7982AC506C274F16BC7471E892527A8.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\ProgramData\Visual_Studio\RuntimeBrokers.exe
    "C:\ProgramData\Visual_Studio\RuntimeBrokers.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\22j12wr2\22j12wr2.dll

Filesize
9KB

MD5
9ae9bab011f037e9ac34aa6f932f6308

SHA1
5a7fe9d4e00ad433688d0a354eadf291aa873742

SHA256
d77a2c73e06e35c5fb9e484b6ab273b0c6c5eff2f39f2b3efab7433bc0034f44

SHA512
4b620e1717e1a85f20782ccc4d655885dd3c7df439cd2f43e5a927c4e294aaec9a106636d94f16e921741057f3a47953bde0496bb044266012d49216acf51863

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF0A6.tmp

Filesize
1KB

MD5
aee08ad4646110e28e17deda447865a3

SHA1
a8a2de10d2043008d50b39e569540a21d7e9f783

SHA256
e4760383a7b04f7fe979b9266c4045d397d6283faaa12ea9b93acc823eb5f84f

SHA512
328effda5156c3eacc5c63619cf2d663401950c59dfe1c084013902f3cc15b0789f0d28cc1dde38f34ef505963837cf111150457aaa3dc2616634ade8d3bbd80

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\22j12wr2\22j12wr2.0.cs

Filesize
10KB

MD5
1b6ac34c4169b5a34200e793d21182e6

SHA1
7a195f13804f6d4f38774b2a94962faa2f6c03e6

SHA256
38eca887cb1764ceccab157b44915f0a41760c843c530a72d66ee414a9a61296

SHA512
454f50f81b31594855c7bf2b6168c7a4ead6e83e4c60cf7f49c54a4a6378ba7946b00b9336b3ffa9c390fc85ea4305577093411448a68cb0d8280b115ea0dd58

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\22j12wr2\22j12wr2.cmdline

Filesize
204B

MD5
ad230fe9ba04dd69cc6fcb8bed0daaab

SHA1
8b0745ceececac067310dbce06efcbc7de79fd2d

SHA256
b32cc972c7545a5e10601a18eadc12918dcfc2a8eb72d8b2b3d7604f357b4d54

SHA512
af8e66a66ec5bf4227699427e7ae3fc9e441b11ef69e47c13317f4669b97cb1576c66cb75deba9163d05aa8c0b0a8493f5b6fc333178f8ff810346526457f8e0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\22j12wr2\CSC7982AC506C274F16BC7471E892527A8.TMP

Filesize
652B

MD5
a03bf6b3dd716e5bd5374e4ba114d96f

SHA1
ee0817d22f651885d9b2a9fc473b8fec813fd182

SHA256
73f3619e26c57c68d266188efdf6be66a7bba44d363a7611b1f3700f08e075ae

SHA512
63fc54e9a81f2502ca4c67ed6768968d13c28fe09f988eea8fdd12173ca2aeebc3cd67c2b636f8ee4e7f5dc58cfb35a24a232997b1daa1d2a3326c6dc35af473

Download Submit
memory/1488-15-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/1488-31-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/1488-1-0x0000000000B70000-0x0000000000B80000-memory.dmp

Filesize
64KB

Download
memory/1488-0-0x0000000073F3E000-0x0000000073F3F000-memory.dmp

Filesize
4KB

Download
memory/1488-2-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/1944-42-0x00000000012B0000-0x00000000012C2000-memory.dmp

Filesize
72KB

Download
memory/2788-28-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download
memory/2788-23-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download
memory/2788-19-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download
memory/2788-32-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download
memory/2788-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2788-21-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download
memory/2788-17-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download
memory/2788-26-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download