84e059bb286a4d546c18b3e2f61d0bc0fe7c635fd2c1ca998722324d48d1c584

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b22c9dd5fb6ec33ec6ce1a5b2abbae5.exe
Size

5.3MB
MD5

1b22c9dd5fb6ec33ec6ce1a5b2abbae5
SHA1

683e746735b6cf1ec365c991a3a057e1af655337
SHA256

84e059bb286a4d546c18b3e2f61d0bc0fe7c635fd2c1ca998722324d48d1c584
SHA512

780bed5650f3e1d3abe9f301107a232015aa853c9b113f8ec8221e4861b61c38a308b29a8bb73c97f289eb2f0027b2e650144a658d8ae9fd0dc9b80839d3848c
SSDEEP

98304:8fUb/0lYBLg5WhPqgQJXUxefLOZjBQIuRdA6nBjfDtcTT4LnN2R3m+YAT0TPEFAF:8fUmug5Wh9WuefLgQIuocQON2xnSPEFy

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
292	1b22c9dd5fb6ec33ec6ce1a5b2abbae5.exe
2632	palemoon.exe
2740	palemoon.exe

Loads dropped DLL 13 IoCs

pid	Process
2292	1b22c9dd5fb6ec33ec6ce1a5b2abbae5.exe
292	1b22c9dd5fb6ec33ec6ce1a5b2abbae5.exe
292	1b22c9dd5fb6ec33ec6ce1a5b2abbae5.exe
2632	palemoon.exe
2632	palemoon.exe
2632	palemoon.exe
2632	palemoon.exe
2740	palemoon.exe
2740	palemoon.exe
2740	palemoon.exe
2516	cmd.exe
2516	cmd.exe
1300	OracleUninstall_brj.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2740 set thread context of 2516	2740	palemoon.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	palemoon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1b22c9dd5fb6ec33ec6ce1a5b2abbae5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1b22c9dd5fb6ec33ec6ce1a5b2abbae5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	palemoon.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2632	palemoon.exe
2740	palemoon.exe
2740	palemoon.exe
2516	cmd.exe
2516	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2740	palemoon.exe
2516	cmd.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 292	2292	1b22c9dd5fb6ec33ec6ce1a5b2abbae5.exe	28
PID 2292 wrote to memory of 292	2292	1b22c9dd5fb6ec33ec6ce1a5b2abbae5.exe	28
PID 2292 wrote to memory of 292	2292	1b22c9dd5fb6ec33ec6ce1a5b2abbae5.exe	28
PID 2292 wrote to memory of 292	2292	1b22c9dd5fb6ec33ec6ce1a5b2abbae5.exe	28
PID 2292 wrote to memory of 292	2292	1b22c9dd5fb6ec33ec6ce1a5b2abbae5.exe	28
PID 2292 wrote to memory of 292	2292	1b22c9dd5fb6ec33ec6ce1a5b2abbae5.exe	28
PID 2292 wrote to memory of 292	2292	1b22c9dd5fb6ec33ec6ce1a5b2abbae5.exe	28
PID 292 wrote to memory of 2632	292	1b22c9dd5fb6ec33ec6ce1a5b2abbae5.exe	31
PID 292 wrote to memory of 2632	292	1b22c9dd5fb6ec33ec6ce1a5b2abbae5.exe	31
PID 292 wrote to memory of 2632	292	1b22c9dd5fb6ec33ec6ce1a5b2abbae5.exe	31
PID 292 wrote to memory of 2632	292	1b22c9dd5fb6ec33ec6ce1a5b2abbae5.exe	31
PID 2632 wrote to memory of 2740	2632	palemoon.exe	32
PID 2632 wrote to memory of 2740	2632	palemoon.exe	32
PID 2632 wrote to memory of 2740	2632	palemoon.exe	32
PID 2632 wrote to memory of 2740	2632	palemoon.exe	32
PID 2740 wrote to memory of 2516	2740	palemoon.exe	33
PID 2740 wrote to memory of 2516	2740	palemoon.exe	33
PID 2740 wrote to memory of 2516	2740	palemoon.exe	33
PID 2740 wrote to memory of 2516	2740	palemoon.exe	33
PID 2740 wrote to memory of 2516	2740	palemoon.exe	33
PID 2516 wrote to memory of 1300	2516	cmd.exe	35
PID 2516 wrote to memory of 1300	2516	cmd.exe	35
PID 2516 wrote to memory of 1300	2516	cmd.exe	35
PID 2516 wrote to memory of 1300	2516	cmd.exe	35
PID 2516 wrote to memory of 1300	2516	cmd.exe	35
PID 2516 wrote to memory of 1300	2516	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\1b22c9dd5fb6ec33ec6ce1a5b2abbae5.exe
"C:\Users\Admin\AppData\Local\Temp\1b22c9dd5fb6ec33ec6ce1a5b2abbae5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\Temp\{FD1385A3-341B-4FDA-AAF7-9AC1E1A2F439}\.cr\1b22c9dd5fb6ec33ec6ce1a5b2abbae5.exe
  "C:\Windows\Temp\{FD1385A3-341B-4FDA-AAF7-9AC1E1A2F439}\.cr\1b22c9dd5fb6ec33ec6ce1a5b2abbae5.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\1b22c9dd5fb6ec33ec6ce1a5b2abbae5.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:292
- - C:\Windows\Temp\{07A4049E-A6D5-446F-8AB5-9211253FD633}\.ba\palemoon.exe
    "C:\Windows\Temp\{07A4049E-A6D5-446F-8AB5-9211253FD633}\.ba\palemoon.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Users\Admin\AppData\Roaming\Exploretask\palemoon.exe
      C:\Users\Admin\AppData\Roaming\Exploretask\palemoon.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2516
      - C:\Users\Admin\AppData\Local\Temp\OracleUninstall_brj.exe
        
        C:\Users\Admin\AppData\Local\Temp\OracleUninstall_brj.exe
        6⤵
        Loads dropped DLL
        
        PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fbf84d71

Filesize
5.1MB

MD5
d9d7fbfb9abe317680eb8bcc41a882fc

SHA1
75980ec5f3af3f250a966c573595a60fecf938d6

SHA256
4f9099b0c5ce1f235acd640a247561c00534af62b5f1f2790d351ce57fe87d15

SHA512
7b486a014d1635236d7ab1967279a5d5a9fefbe26c94e01580d80de085b181e3da0cc4414f709453bcc77c56c7fd603e7ad0c746ec046a37112d498a9f58886f

Download Submit
C:\Windows\Temp\{07A4049E-A6D5-446F-8AB5-9211253FD633}\.ba\MSVCP140.dll

Filesize
427KB

MD5
ff877a5dffd764197250bd4ba28496b1

SHA1
187b8e183fc3331dd4ba139333886ad1fbf333a7

SHA256
83f935454ae8e450b6f042509ecf28cceff95edb2495c63a782b9d45c2eaf1c0

SHA512
b9245353f8a8bce6f443345daf50e135aa9d84bcce4dc5fd9279216b99bc6a1fa409292e110132ad815f303f36006610d6907e9fc778e94977beb2332481d03d

Download Submit
C:\Windows\Temp\{07A4049E-A6D5-446F-8AB5-9211253FD633}\.ba\VCRUNTIME140.dll

Filesize
78KB

MD5
1e6e97d60d411a2dee8964d3d05adb15

SHA1
0a2fe6ec6b6675c44998c282dbb1cd8787612faf

SHA256
8598940e498271b542f2c04998626aa680f2172d0ff4f8dbd4ffec1a196540f9

SHA512
3f7d79079c57786051a2f7facfb1046188049e831f12b549609a8f152664678ee35ad54d1fff4447428b6f76bea1c7ca88fa96aab395a560c6ec598344fcc7fa

Download Submit
C:\Windows\Temp\{07A4049E-A6D5-446F-8AB5-9211253FD633}\.ba\bkfldtk

Filesize
13KB

MD5
740cd68373db32504e9b1b07c37c5ba1

SHA1
cad7f83848e7a47cf0b6d81a8e9f700bd9fcbcf5

SHA256
71c006fbe80c6b6732f41fdf04c44486e270becd6275ad63ccf6569c6cf357eb

SHA512
9e67bff72912da9aade4e5362d7f8e0584f5bd11cc522d013485a1235103bcfb80b069d15618c59591e08f0fe61deba3c473abc4f45af3c29a508a9332374547

Download Submit
C:\Windows\Temp\{07A4049E-A6D5-446F-8AB5-9211253FD633}\.ba\kgjmwi

Filesize
4.0MB

MD5
01b2a059f5e87c86983e2f8477deb98e

SHA1
26c29779c5d72ce55bbaf98d398ea45a9eb58430

SHA256
74e1cba2742f20ceef66428af0698bd1483c530ac862c2ba702efeb36ad2f352

SHA512
869b6b394140daa951c14e262a631a11618112389c7e38ac9ff831375e77262b7ddbde394c0925ea32e9c49a8e46fb0f46b38a50e121a5c21f80b7cebf021500

Download Submit
C:\Windows\Temp\{07A4049E-A6D5-446F-8AB5-9211253FD633}\.ba\mozglue.dll

Filesize
184KB

MD5
ac6fe14ba18210a4cff1cb0a8b27e5d7

SHA1
6b891396563d76b79197b7d0ee236b24b146799b

SHA256
b7caa5013e7d4f9520d2c2447ee3c2b14968ec2497115250cc05f6d1b9efa8f6

SHA512
94a6a0105eb7ff46d642c171c1b0be491a323eac41149b4e24a1d9964da9d2e4599ec66f22b1e0160009c0bf67421883564e36524ad4a3a88e644ea37f729f43

Download Submit
\Users\Admin\AppData\Local\Temp\OracleUninstall_brj.exe

Filesize
2.3MB

MD5
967f4470627f823f4d7981e511c9824f

SHA1
416501b096df80ddc49f4144c3832cf2cadb9cb2

SHA256
b22bf1210b5fd173a210ebfa9092390aa0513c41e1914cbe161eb547f049ef91

SHA512
8883ead428c9d4b415046de9f8398aa1f65ae81fe7945a840c822620e18f6f9930cce2e10acff3b5da8b9c817ade3dabc1de576cbd255087267f77341900a41c

Download Submit
\Windows\Temp\{07A4049E-A6D5-446F-8AB5-9211253FD633}\.ba\Electrum.dll

Filesize
640KB

MD5
ce72a6ce562ae4d949def32bf5196098

SHA1
96f7e2752b94fea107fb01835b2286e6c2c9e82e

SHA256
7c5fa468f8168ec9eba76d33907360348c031777362e7fe214f766582c906d3f

SHA512
c13dfd33e44cac6562a3597f1c9a609087408c5f1b848bed789d6656565032ab6683b6535bae3e90c7529af1b24bb2ba1b4515dd4190cfa121df47cc3b37dcd7

Download Submit
\Windows\Temp\{07A4049E-A6D5-446F-8AB5-9211253FD633}\.ba\palemoon.exe

Filesize
275KB

MD5
b2d4b1d83945b5787d49a86c4f394e0c

SHA1
334a5c434e5d5d0649f8224e449ca9aaf9ba6816

SHA256
038d7b257b98421ad371189cf51d67f32ddad2de687c443a59ea74e4027bbf04

SHA512
4e92c367991a30d81a718ef26e8e61d24a84d2b54b5d9c6555f319b186ed5bc29d03fb10929bdae4d37c4fe92b3c0be63ee1ed4b287df74af7644e65053222d5

Download Submit
\Windows\Temp\{FD1385A3-341B-4FDA-AAF7-9AC1E1A2F439}\.cr\1b22c9dd5fb6ec33ec6ce1a5b2abbae5.exe

Filesize
5.1MB

MD5
267088b1382f34ff51444d323d5613ef

SHA1
0bfbbd4908a0f00962afc3ef4d4499fbd4be3772

SHA256
47bb75d1d4d36b3f9dced0990b8a90687e57c1ac037bb1c08ad9250d3c962685

SHA512
9918eb539f8e3ca623bbce989a8aaf19f2de3e91647f05207d32e2fde67b35a8b324bf40383246dab9af39c92240ca90cc1a4373b287898dc3dd89e0cb0a13b8

Download Submit
memory/1300-111-0x0000000000160000-0x00000000003EA000-memory.dmp

Filesize
2.5MB

Download
memory/1300-108-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp

Filesize
4KB

Download
memory/1300-109-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp

Filesize
4KB

Download
memory/1300-112-0x0000000000160000-0x00000000003EA000-memory.dmp

Filesize
2.5MB

Download
memory/2516-104-0x00000000747A0000-0x0000000074914000-memory.dmp

Filesize
1.5MB

Download
memory/2516-56-0x0000000077280000-0x0000000077429000-memory.dmp

Filesize
1.7MB

Download
memory/2632-28-0x0000000074300000-0x0000000074474000-memory.dmp

Filesize
1.5MB

Download
memory/2632-29-0x0000000077280000-0x0000000077429000-memory.dmp

Filesize
1.7MB

Download
memory/2740-53-0x00000000747A0000-0x0000000074914000-memory.dmp

Filesize
1.5MB

Download
memory/2740-52-0x00000000747A0000-0x0000000074914000-memory.dmp

Filesize
1.5MB

Download
memory/2740-51-0x00000000747B3000-0x00000000747B5000-memory.dmp

Filesize
8KB

Download
memory/2740-50-0x0000000077280000-0x0000000077429000-memory.dmp

Filesize
1.7MB

Download
memory/2740-49-0x00000000747A0000-0x0000000074914000-memory.dmp

Filesize
1.5MB

Download