ca7f7fcf09e61568e9d86978e23d48b8c42079e889c9e82fc317e020a7c0fbce

Analysis

max time kernel
80s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 21:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.8MB
MD5

b1d671736e8e4afd77b6a84f52a85165
SHA1

3392417c0f9ed0a3b0c3bac4b66f22ed459b29dd
SHA256

9cffb8f38ca1ff1c7a6244e17dee39d8d379ba5816ced18aeadd91b46aa4a37c
SHA512

4ef78e54759f0a829daea4f79b75827dba6bf6a05666154112b535922a822152df40db2f2fca71fbfcf48ed8f3e730597a936bd8e40dc6192874c1608259b299
SSDEEP

49152:5SNY8H0ZGF5j51XdQTPRPgoFx1NslvUOl/WkMWAA:GY00Z8F1XdUG

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$_3_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2208	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2208	$_3_.exe
2208	$_3_.exe
2208	$_3_.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 1284	2208	$_3_.exe	31
PID 2208 wrote to memory of 1284	2208	$_3_.exe	31
PID 2208 wrote to memory of 1284	2208	$_3_.exe	31
PID 2208 wrote to memory of 1284	2208	$_3_.exe	31

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\25112.bat" "C:\Users\Admin\AppData\Local\Temp\47ED45FC48284CB4879AEDF3FEFA0916\""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\25112.bat

Filesize
214B

MD5
739fcc7ba42b209fe44bea47e7a8c48f

SHA1
bc7a448a7c018133edcf012bc94301623eb42c5b

SHA256
69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c

SHA512
2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a

Download Submit
C:\Users\Admin\AppData\Local\Temp\47ED45FC48284CB4879AEDF3FEFA0916\47ED45FC48284CB4879AEDF3FEFA0916_LogFile.txt

Filesize
8KB

MD5
5a09476775ddcdddf03948807d0d3a93

SHA1
598d373bd72c6a5185b999887428dfd479bea572

SHA256
703367da4a04fcabd421ffee18f03e9e63877f75f3792de209747d94ed4b5b87

SHA512
42a9a62f7de71a3c83dd72365a4157496ab25b0bde584f7c7b594b764175daf94aab322fcd3a09b37c62d153cf80d71b0dd9f58b716495a4772651203f3763df

Download Submit
C:\Users\Admin\AppData\Local\Temp\47ED45FC48284CB4879AEDF3FEFA0916\47ED45~1.TXT

Filesize
121KB

MD5
9084cdbf779b8de725232e239fbdfe7e

SHA1
2dddbfbfb9e88b9094a4a27dbc9afe0aa04579f4

SHA256
989ccdc1dda13a7c14dcbfe31ff08f5dd948518864baf99f2cd29a4ec8d38655

SHA512
e3d2b6ee555c99cc4de15946624108852a7fde787924876a41abfaf17d2699543eaadc24c2cce77b67ff117adc09302465a1e005111f443901c8ba93852c8c3a

Download Submit
memory/2208-63-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download