Analysis

  • max time kernel
    36s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    28-09-2024 19:41

General

  • Target

    6a74362139ecac3f27f7d199965301be557a75bdc3db16efabfb44a977f345f6.exe

  • Size

    282KB

  • MD5

    0db1a05d8dbc73507a535b122cbfff85

  • SHA1

    5a4fca1ed651f9ce19f19a2bc51868ee9b95e1ef

  • SHA256

    6a74362139ecac3f27f7d199965301be557a75bdc3db16efabfb44a977f345f6

  • SHA512

    95541c726c5773850aba1e875ae5415b8e34e02fd96a738c494aeece6d2b4f7b601536b54d07333cc9f4744107a7baf67b2142bbf121328ae4ae32c6b2363c93

  • SSDEEP

    6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkfh:boSeGUA5YZazpXUmZhZ6SA

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a74362139ecac3f27f7d199965301be557a75bdc3db16efabfb44a977f345f6.exe
    "C:\Users\Admin\AppData\Local\Temp\6a74362139ecac3f27f7d199965301be557a75bdc3db16efabfb44a977f345f6.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1296
    • C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
      "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
        "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
        3⤵
          PID:2628

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

      Filesize

      282KB

      MD5

      a01c1073bdbcef71341936c6c45a1f4d

      SHA1

      45ae922e5fd9eeafbba315c162dd8f1e3c581518

      SHA256

      91c3616d3cbc050874a835690c01f5186173201fb572bca95cbf5d569225cd28

      SHA512

      d7dcadab8d313ab061e5119816057d233b87f25a2d70188eacc3c38fd7dbada475e1fb239d98e149b45585bfc21970e22be5640787920abd545cb73191b9d9d6

    • memory/1296-3-0x00000000747D0000-0x0000000074D7B000-memory.dmp

      Filesize

      5.7MB

    • memory/1296-2-0x00000000747D0000-0x0000000074D7B000-memory.dmp

      Filesize

      5.7MB

    • memory/1296-0-0x00000000747D1000-0x00000000747D2000-memory.dmp

      Filesize

      4KB

    • memory/1296-4-0x00000000747D0000-0x0000000074D7B000-memory.dmp

      Filesize

      5.7MB

    • memory/1296-5-0x00000000747D0000-0x0000000074D7B000-memory.dmp

      Filesize

      5.7MB

    • memory/1296-1-0x00000000747D0000-0x0000000074D7B000-memory.dmp

      Filesize

      5.7MB

    • memory/1296-13-0x00000000747D0000-0x0000000074D7B000-memory.dmp

      Filesize

      5.7MB

    • memory/2812-16-0x00000000747D0000-0x0000000074D7B000-memory.dmp

      Filesize

      5.7MB

    • memory/2812-15-0x00000000747D0000-0x0000000074D7B000-memory.dmp

      Filesize

      5.7MB

    • memory/2812-17-0x00000000747D0000-0x0000000074D7B000-memory.dmp

      Filesize

      5.7MB

    • memory/2812-18-0x00000000747D0000-0x0000000074D7B000-memory.dmp

      Filesize

      5.7MB

    • memory/2812-19-0x00000000747D0000-0x0000000074D7B000-memory.dmp

      Filesize

      5.7MB

    • memory/2812-21-0x00000000747D0000-0x0000000074D7B000-memory.dmp

      Filesize

      5.7MB