ad82d4b79bca93c8124446384ec5847b21e0f9c436cefe384fb69ea7e7d44e84

Analysis

max time kernel
141s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 13:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ad82d4b79bca93c8124446384ec5847b21e0f9c436cefe384fb69ea7e7d44e84.exe
Size

15.5MB
MD5

982e64a37fc9be43b18d68a786b9086e
SHA1

90b1cbfabeb6b29d6a66e0513e1165cacc613963
SHA256

ad82d4b79bca93c8124446384ec5847b21e0f9c436cefe384fb69ea7e7d44e84
SHA512

2b9c194c4d5cb15a548e87864ea22c9bd71fb570682138a472f8ddbf03d4a535bab434e1f1b6cf31cec693e961f8ba5fb49e2415280ad1baa2efe6222ec040cf
SSDEEP

393216:W3y6VVezFp72nM0cWLZ1qSZ+8Ns5xy3t1bdCC:W3vVVezv7qV/qG+8NZtnj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1040	n8YDV.exe

Loads dropped DLL 2 IoCs

pid	Process
1040	n8YDV.exe
1040	n8YDV.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	n8YDV.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2944	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2944	vlc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2944	vlc.exe
Token: SeIncBasePriorityPrivilege	2944	vlc.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe
2944	vlc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2944	vlc.exe
1040	n8YDV.exe
1040	n8YDV.exe
1040	n8YDV.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2988	2120	ad82d4b79bca93c8124446384ec5847b21e0f9c436cefe384fb69ea7e7d44e84.exe	30
PID 2120 wrote to memory of 2988	2120	ad82d4b79bca93c8124446384ec5847b21e0f9c436cefe384fb69ea7e7d44e84.exe	30
PID 2120 wrote to memory of 2988	2120	ad82d4b79bca93c8124446384ec5847b21e0f9c436cefe384fb69ea7e7d44e84.exe	30
PID 2120 wrote to memory of 3004	2120	ad82d4b79bca93c8124446384ec5847b21e0f9c436cefe384fb69ea7e7d44e84.exe	31
PID 2120 wrote to memory of 3004	2120	ad82d4b79bca93c8124446384ec5847b21e0f9c436cefe384fb69ea7e7d44e84.exe	31
PID 2120 wrote to memory of 3004	2120	ad82d4b79bca93c8124446384ec5847b21e0f9c436cefe384fb69ea7e7d44e84.exe	31
PID 3004 wrote to memory of 2944	3004	cmd.exe	33
PID 3004 wrote to memory of 2944	3004	cmd.exe	33
PID 3004 wrote to memory of 2944	3004	cmd.exe	33
PID 2988 wrote to memory of 1040	2988	ad82d4b79bca93c8124446384ec5847b21e0f9c436cefe384fb69ea7e7d44e84.exe	35
PID 2988 wrote to memory of 1040	2988	ad82d4b79bca93c8124446384ec5847b21e0f9c436cefe384fb69ea7e7d44e84.exe	35
PID 2988 wrote to memory of 1040	2988	ad82d4b79bca93c8124446384ec5847b21e0f9c436cefe384fb69ea7e7d44e84.exe	35
PID 2988 wrote to memory of 1040	2988	ad82d4b79bca93c8124446384ec5847b21e0f9c436cefe384fb69ea7e7d44e84.exe	35

C:\Users\Admin\AppData\Local\Temp\ad82d4b79bca93c8124446384ec5847b21e0f9c436cefe384fb69ea7e7d44e84.exe
"C:\Users\Admin\AppData\Local\Temp\ad82d4b79bca93c8124446384ec5847b21e0f9c436cefe384fb69ea7e7d44e84.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\AppData\Local\Temp\ad82d4b79bca93c8124446384ec5847b21e0f9c436cefe384fb69ea7e7d44e84.exe
  C:\Users\Admin\AppData\Local\Temp\ad82d4b79bca93c8124446384ec5847b21e0f9c436cefe384fb69ea7e7d44e84.exe 45063C065A065606740669066106740667066B0642066706720667065A06650667066806620663065A067D064A06310669063206740632065C06300635064B064006340656064506650660067B065A0668063E065F0642065006--365
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\ProgramData\cande\{L7o4r4Z63MF2PCcf}\n8YDV.exe
    "C:\ProgramData\cande\{L7o4r4Z63MF2PCcf}\n8YDV.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1040
- C:\Windows\system32\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\ad82d4b79bca93c8124446384ec5847b21e0f9c436cefe384fb69ea7e7d44e84.exe.mp4
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\ad82d4b79bca93c8124446384ec5847b21e0f9c436cefe384fb69ea7e7d44e84.exe.mp4"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cande\{L7o4r4Z63MF2PCcf}\n8YDV.exe

Filesize
1.9MB

MD5
c56bd24aee2625eb6a06d97beae1ff2c

SHA1
a007502595e41b8a830acb2b5d2bd632504d8831

SHA256
ed998e0614e685addb67777d17a6dd82e296a4a05f16df63986abe8b786cda9f

SHA512
5e786debe7764491cad106fd499b79aef9d901fcd725851bc5476b115c1e9edf66d23b66f8d29c93207d9d1835da465c10f8b677d178df8f72a3597b47881ecc

Download Submit
C:\ProgramData\cande\{L7o4r4Z63MF2PCcf}\n8YDV.txt

Filesize
289B

MD5
e5fd650120f8ab745f66cf2cddaf9425

SHA1
695428ea38d4392f96c25970d8308fd9339daba2

SHA256
e5c19f5608f1128f6f30726cfd63d6ce552ed5cc4f1ce984d3bb2dfb730fca47

SHA512
971b990d0faa06eafd4de15f483b2149acb858e17eea7132f2f1bdc69f6fb9228cf1f610a99dd89ecd84cd5e8f291eaa03100a6bc1471c2148d373912c8960e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad82d4b79bca93c8124446384ec5847b21e0f9c436cefe384fb69ea7e7d44e84.exe.mp4

Filesize
9.5MB

MD5
37cda6a12848d7ed55bc4896243f2466

SHA1
adc2ec17923910868fff0b434bb86fb288d4453a

SHA256
fcc59f78c2cf04eac0da70407c07ffdeb1e7f3e32e4f3fbd44c32de69aa91b1e

SHA512
b4d1bcab19723d08335d873de45be39845918ca0cfa22b0681d7c9005a6ed3328ea9c3b1ebb24a636b848397bff4cf2ea735f2b15eb68bc42f8d37e9d61ccba0

Download Submit
\ProgramData\cande\{L7o4r4Z63MF2PCcf}\HTTPSAPI.dll

Filesize
3.7MB

MD5
b9e9eda764b738d0d6fc6c37e9ced004

SHA1
5badbb5e7ed5aa4e104679189dc8744ab626ba53

SHA256
64913db0a193aa7388f32d0ec189a8015b84909d8052a643fcc3ef1a904b152b

SHA512
cb2234d6050459228c1540a959b2323c5be64e56eca31deb84d055a140ea937cdf43896a8248e8c5e1116e42b67155e7347d3bb08ebd1bf0ce69f802520b9351

Download Submit
memory/2944-37-0x000007FEF7840000-0x000007FEF7874000-memory.dmp

Filesize
208KB

Download
memory/2944-36-0x000000013F240000-0x000000013F338000-memory.dmp

Filesize
992KB

Download
memory/2944-42-0x000007FEF7820000-0x000007FEF7837000-memory.dmp

Filesize
92KB

Download
memory/2944-45-0x000007FEF6CC0000-0x000007FEF6CD1000-memory.dmp

Filesize
68KB

Download
memory/2944-44-0x000007FEF6CE0000-0x000007FEF6CFD000-memory.dmp

Filesize
116KB

Download
memory/2944-43-0x000007FEF6D00000-0x000007FEF6D11000-memory.dmp

Filesize
68KB

Download
memory/2944-38-0x000007FEF6030000-0x000007FEF62E6000-memory.dmp

Filesize
2.7MB

Download
memory/2944-41-0x000007FEF7B00000-0x000007FEF7B11000-memory.dmp

Filesize
68KB

Download
memory/2944-40-0x000007FEFA9D0000-0x000007FEFA9E7000-memory.dmp

Filesize
92KB

Download
memory/2944-39-0x000007FEFAA20000-0x000007FEFAA38000-memory.dmp

Filesize
96KB

Download
memory/2944-56-0x000007FEF6700000-0x000007FEF6718000-memory.dmp

Filesize
96KB

Download
memory/2944-57-0x000007FEF66D0000-0x000007FEF6700000-memory.dmp

Filesize
192KB

Download
memory/2944-61-0x000007FEF4C70000-0x000007FEF4CC7000-memory.dmp

Filesize
348KB

Download
memory/2944-63-0x000007FEF4AD0000-0x000007FEF4AE7000-memory.dmp

Filesize
92KB

Download
memory/2944-62-0x000007FEF4AF0000-0x000007FEF4C70000-memory.dmp

Filesize
1.5MB

Download
memory/2944-60-0x000007FEF4CD0000-0x000007FEF4CE1000-memory.dmp

Filesize
68KB

Download
memory/2944-46-0x000007FEF4F80000-0x000007FEF6030000-memory.dmp

Filesize
16.7MB

Download
memory/2944-58-0x000007FEF6660000-0x000007FEF66C7000-memory.dmp

Filesize
412KB

Download
memory/2944-59-0x000007FEF4CF0000-0x000007FEF4D6C000-memory.dmp

Filesize
496KB

Download
memory/2944-55-0x000007FEF6720000-0x000007FEF6731000-memory.dmp

Filesize
68KB

Download
memory/2944-54-0x000007FEF6740000-0x000007FEF675B000-memory.dmp

Filesize
108KB

Download
memory/2944-53-0x000007FEF6760000-0x000007FEF6771000-memory.dmp

Filesize
68KB

Download
memory/2944-52-0x000007FEF6780000-0x000007FEF6791000-memory.dmp

Filesize
68KB

Download
memory/2944-51-0x000007FEF67A0000-0x000007FEF67B1000-memory.dmp

Filesize
68KB

Download
memory/2944-50-0x000007FEF6800000-0x000007FEF6818000-memory.dmp

Filesize
96KB

Download
memory/2944-49-0x000007FEF6C90000-0x000007FEF6CB1000-memory.dmp

Filesize
132KB

Download
memory/2944-48-0x000007FEF6820000-0x000007FEF6861000-memory.dmp

Filesize
260KB

Download
memory/2944-47-0x000007FEF4D70000-0x000007FEF4F7B000-memory.dmp

Filesize
2.0MB

Download
memory/2944-90-0x000007FEEFEC0000-0x000007FEEFEF4000-memory.dmp

Filesize
208KB

Download
memory/2944-89-0x000007FEEFF00000-0x000007FEEFF57000-memory.dmp

Filesize
348KB

Download
memory/2944-88-0x000007FEEFF60000-0x000007FEEFFAE000-memory.dmp

Filesize
312KB

Download
memory/2944-86-0x000007FEF1EB0000-0x000007FEF1F24000-memory.dmp

Filesize
464KB

Download
memory/2944-87-0x000007FEF1D30000-0x000007FEF1D41000-memory.dmp

Filesize
68KB

Download
memory/2944-85-0x000007FEF1F30000-0x000007FEF1F77000-memory.dmp

Filesize
284KB

Download
memory/2944-84-0x000007FEF1F80000-0x000007FEF1FE1000-memory.dmp

Filesize
388KB

Download
memory/2944-83-0x000007FEF1FF0000-0x000007FEF2001000-memory.dmp

Filesize
68KB

Download
memory/2944-82-0x000007FEF2120000-0x000007FEF2134000-memory.dmp

Filesize
80KB

Download
memory/2944-81-0x000007FEF2140000-0x000007FEF2153000-memory.dmp

Filesize
76KB

Download
memory/2944-64-0x000007FEF3230000-0x000007FEF4A9F000-memory.dmp

Filesize
24.4MB

Download
memory/2944-80-0x000007FEF2160000-0x000007FEF2175000-memory.dmp

Filesize
84KB

Download
memory/2944-79-0x000007FEF2180000-0x000007FEF2192000-memory.dmp

Filesize
72KB

Download
memory/2944-78-0x000007FEF21A0000-0x000007FEF21BB000-memory.dmp

Filesize
108KB

Download
memory/2944-77-0x000007FEF21C0000-0x000007FEF21D3000-memory.dmp

Filesize
76KB

Download
memory/2944-76-0x000007FEF21E0000-0x000007FEF220A000-memory.dmp

Filesize
168KB

Download
memory/2944-75-0x000007FEF2210000-0x000007FEF2316000-memory.dmp

Filesize
1.0MB

Download
memory/2944-74-0x000007FEF2320000-0x000007FEF2333000-memory.dmp

Filesize
76KB

Download
memory/2944-73-0x000007FEF2340000-0x000007FEF24BA000-memory.dmp

Filesize
1.5MB

Download
memory/2944-72-0x000007FEF24C0000-0x000007FEF24E3000-memory.dmp

Filesize
140KB

Download
memory/2944-71-0x000007FEF24F0000-0x000007FEF2505000-memory.dmp

Filesize
84KB

Download
memory/2944-70-0x000007FEF2510000-0x000007FEF2522000-memory.dmp

Filesize
72KB

Download
memory/2944-69-0x000007FEF2550000-0x000007FEF2561000-memory.dmp

Filesize
68KB

Download
memory/2944-68-0x000007FEF2F60000-0x000007FEF2FAD000-memory.dmp

Filesize
308KB

Download
memory/2944-67-0x000007FEF2FB0000-0x000007FEF2FF2000-memory.dmp

Filesize
264KB

Download
memory/2944-66-0x000007FEF3000000-0x000007FEF3012000-memory.dmp

Filesize
72KB

Download
memory/2944-65-0x000007FEF3020000-0x000007FEF3226000-memory.dmp

Filesize
2.0MB

Download
memory/2944-93-0x000007FEF6030000-0x000007FEF62E6000-memory.dmp

Filesize
2.7MB

Download