79afdd9e0a65aa3f3144b8988978623439e2e6ac60c877320e787823b01a0da4

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79afdd9e0a65aa3f3144b8988978623439e2e6ac60c877320e787823b01a0da4N.exe
Size

208KB
MD5

51e80bf79edd03866ee725d8f0e418f0
SHA1

faa0ae9486e7c486bf3c9b5a64daea7b5fa1f2aa
SHA256

79afdd9e0a65aa3f3144b8988978623439e2e6ac60c877320e787823b01a0da4
SHA512

906ee45acd1aed8e2005b01c1f89099a3a1304138627d3aa369f258ddd2b58fb701ae02b86659a4901b38eb232ca680ed71c2d8606aa510b39daf7f47f61afec
SSDEEP

3072:w0VDck4+uF0u1Lpk+GR4rp7hKqEeqcsuhK4NLthEjQT6:w0JnG+f+GRw7OuhKQEj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2920	UJOHQE.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\UJOHQE.exe	79afdd9e0a65aa3f3144b8988978623439e2e6ac60c877320e787823b01a0da4N.exe
File opened for modification	C:\windows\UJOHQE.exe	79afdd9e0a65aa3f3144b8988978623439e2e6ac60c877320e787823b01a0da4N.exe
File created	C:\windows\UJOHQE.exe.bat	79afdd9e0a65aa3f3144b8988978623439e2e6ac60c877320e787823b01a0da4N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79afdd9e0a65aa3f3144b8988978623439e2e6ac60c877320e787823b01a0da4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UJOHQE.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2052	79afdd9e0a65aa3f3144b8988978623439e2e6ac60c877320e787823b01a0da4N.exe
2920	UJOHQE.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2052	79afdd9e0a65aa3f3144b8988978623439e2e6ac60c877320e787823b01a0da4N.exe
2052	79afdd9e0a65aa3f3144b8988978623439e2e6ac60c877320e787823b01a0da4N.exe
2920	UJOHQE.exe
2920	UJOHQE.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 3032	2052	79afdd9e0a65aa3f3144b8988978623439e2e6ac60c877320e787823b01a0da4N.exe	30
PID 2052 wrote to memory of 3032	2052	79afdd9e0a65aa3f3144b8988978623439e2e6ac60c877320e787823b01a0da4N.exe	30
PID 2052 wrote to memory of 3032	2052	79afdd9e0a65aa3f3144b8988978623439e2e6ac60c877320e787823b01a0da4N.exe	30
PID 2052 wrote to memory of 3032	2052	79afdd9e0a65aa3f3144b8988978623439e2e6ac60c877320e787823b01a0da4N.exe	30
PID 3032 wrote to memory of 2920	3032	cmd.exe	32
PID 3032 wrote to memory of 2920	3032	cmd.exe	32
PID 3032 wrote to memory of 2920	3032	cmd.exe	32
PID 3032 wrote to memory of 2920	3032	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\79afdd9e0a65aa3f3144b8988978623439e2e6ac60c877320e787823b01a0da4N.exe
"C:\Users\Admin\AppData\Local\Temp\79afdd9e0a65aa3f3144b8988978623439e2e6ac60c877320e787823b01a0da4N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\UJOHQE.exe.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\windows\UJOHQE.exe
    C:\windows\UJOHQE.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\UJOHQE.exe.bat

Filesize
58B

MD5
47ae85c8010f88f125435a2eda4839a5

SHA1
8b9b45fb75cb3893523fa43baa26828f623fd59b

SHA256
799919240d2a3555c139a1cb534a9e511e0b6ecad7f1758e91a96527b694d8fd

SHA512
7e33a481f906431c9852232cf45d7e5e362de2e229bf5e4d9f741362e3e710f24e3a00d0b05b04baa2ca0bbfdebdeccd0b2a1cc8dfef154c26465c530e624f15

Download Submit
C:\windows\UJOHQE.exe

Filesize
208KB

MD5
ea3c279c86c17e8b1fa1936c9d829206

SHA1
ef434a2624e20175fa47b66980840b4d32d8387e

SHA256
3010d420f21f6b87c72a20fe7dd7edcae5048a6aa8dd5977e56344346288dda1

SHA512
c4297b6988e2d5b8a6cf6c5a47de94b96cc0c8399e322514a03b95e47bc5c9d2ef8026f8766f5942c085b2d86b1e8045ecac3c27821e7f4c61cbf03a84d179ce

Download Submit
memory/2052-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2052-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2920-16-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2920-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download