448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2

Analysis

max time kernel
105s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe
Size

208KB
MD5

b396a083206a5791129b1041d7527c50
SHA1

a3284018452272b72c4e4465089fa062e42796f4
SHA256

448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2
SHA512

35074d7f867f6c026bda963847bccc00aa8b2f4090c72daeb5998e218081eaa992953bbd4484dbb1c8d4a422268d556fa23c221fd87390e710b12b830bb894b7
SSDEEP

3072:74hqYHVGwOa6Mb4GZGxEVBHOsCMldra69myY2m/oykvI6i5gevmCXRwBGa4NLthn:dYUMMy096p05gevzXRwBGaQEjE

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1424	AUO.exe
2840	IFWCL.exe
2728	ZHMSB.exe
3016	QNWKRHP.exe
1628	VAMC.exe

Loads dropped DLL 6 IoCs

pid	Process
2780	cmd.exe
2780	cmd.exe
2768	cmd.exe
2768	cmd.exe
2656	cmd.exe
2656	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\VAMC.exe	QNWKRHP.exe
File opened for modification	C:\windows\SysWOW64\VAMC.exe	QNWKRHP.exe
File created	C:\windows\SysWOW64\VAMC.exe.bat	QNWKRHP.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\windows\AUO.exe	448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe
File created	C:\windows\system\IFWCL.exe.bat	AUO.exe
File created	C:\windows\system\ZHMSB.exe	IFWCL.exe
File opened for modification	C:\windows\system\ZHMSB.exe	IFWCL.exe
File created	C:\windows\system\ZHMSB.exe.bat	IFWCL.exe
File opened for modification	C:\windows\QNWKRHP.exe	ZHMSB.exe
File opened for modification	C:\windows\AUO.exe	448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe
File created	C:\windows\AUO.exe.bat	448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe
File created	C:\windows\system\IFWCL.exe	AUO.exe
File opened for modification	C:\windows\system\IFWCL.exe	AUO.exe
File created	C:\windows\QNWKRHP.exe	ZHMSB.exe
File created	C:\windows\QNWKRHP.exe.bat	ZHMSB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AUO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZHMSB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QNWKRHP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAMC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IFWCL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
876	448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe
876	448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe
1424	AUO.exe
1424	AUO.exe
2840	IFWCL.exe
2840	IFWCL.exe
2728	ZHMSB.exe
2728	ZHMSB.exe
3016	QNWKRHP.exe
3016	QNWKRHP.exe
1628	VAMC.exe
1628	VAMC.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
876	448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe
876	448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe
1424	AUO.exe
1424	AUO.exe
2840	IFWCL.exe
2840	IFWCL.exe
2728	ZHMSB.exe
2728	ZHMSB.exe
3016	QNWKRHP.exe
3016	QNWKRHP.exe
1628	VAMC.exe
1628	VAMC.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 2868	876	448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe	31
PID 876 wrote to memory of 2868	876	448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe	31
PID 876 wrote to memory of 2868	876	448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe	31
PID 876 wrote to memory of 2868	876	448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe	31
PID 2868 wrote to memory of 1424	2868	cmd.exe	33
PID 2868 wrote to memory of 1424	2868	cmd.exe	33
PID 2868 wrote to memory of 1424	2868	cmd.exe	33
PID 2868 wrote to memory of 1424	2868	cmd.exe	33
PID 1424 wrote to memory of 2780	1424	AUO.exe	34
PID 1424 wrote to memory of 2780	1424	AUO.exe	34
PID 1424 wrote to memory of 2780	1424	AUO.exe	34
PID 1424 wrote to memory of 2780	1424	AUO.exe	34
PID 2780 wrote to memory of 2840	2780	cmd.exe	36
PID 2780 wrote to memory of 2840	2780	cmd.exe	36
PID 2780 wrote to memory of 2840	2780	cmd.exe	36
PID 2780 wrote to memory of 2840	2780	cmd.exe	36
PID 2840 wrote to memory of 2768	2840	IFWCL.exe	37
PID 2840 wrote to memory of 2768	2840	IFWCL.exe	37
PID 2840 wrote to memory of 2768	2840	IFWCL.exe	37
PID 2840 wrote to memory of 2768	2840	IFWCL.exe	37
PID 2768 wrote to memory of 2728	2768	cmd.exe	39
PID 2768 wrote to memory of 2728	2768	cmd.exe	39
PID 2768 wrote to memory of 2728	2768	cmd.exe	39
PID 2768 wrote to memory of 2728	2768	cmd.exe	39
PID 2728 wrote to memory of 2468	2728	ZHMSB.exe	40
PID 2728 wrote to memory of 2468	2728	ZHMSB.exe	40
PID 2728 wrote to memory of 2468	2728	ZHMSB.exe	40
PID 2728 wrote to memory of 2468	2728	ZHMSB.exe	40
PID 2468 wrote to memory of 3016	2468	cmd.exe	42
PID 2468 wrote to memory of 3016	2468	cmd.exe	42
PID 2468 wrote to memory of 3016	2468	cmd.exe	42
PID 2468 wrote to memory of 3016	2468	cmd.exe	42
PID 3016 wrote to memory of 2656	3016	QNWKRHP.exe	43
PID 3016 wrote to memory of 2656	3016	QNWKRHP.exe	43
PID 3016 wrote to memory of 2656	3016	QNWKRHP.exe	43
PID 3016 wrote to memory of 2656	3016	QNWKRHP.exe	43
PID 2656 wrote to memory of 1628	2656	cmd.exe	45
PID 2656 wrote to memory of 1628	2656	cmd.exe	45
PID 2656 wrote to memory of 1628	2656	cmd.exe	45
PID 2656 wrote to memory of 1628	2656	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe
"C:\Users\Admin\AppData\Local\Temp\448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\AUO.exe.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\windows\AUO.exe
    C:\windows\AUO.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\windows\system\IFWCL.exe.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\windows\system\IFWCL.exe
        
        C:\windows\system\IFWCL.exe
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2840
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\ZHMSB.exe.bat" "
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\windows\system\ZHMSB.exe
        
        C:\windows\system\ZHMSB.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\QNWKRHP.exe.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\windows\QNWKRHP.exe
        
        C:\windows\QNWKRHP.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\VAMC.exe.bat" "
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\windows\SysWOW64\VAMC.exe
        
        C:\windows\system32\VAMC.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AUO.exe.bat

Filesize
52B

MD5
d20a07efd5e644b64b09b6a73d09d033

SHA1
83383ec16e278ba993ce05d81945c3deba278a3a

SHA256
c03556936437e1d3fee7cd6abd020e0687dc146a247bf95d77fdac6f5f6ddaf3

SHA512
900b0a3ae943cce2f1574325419ca71fd3f776d75029fda2a66063ef7a1432fb76f50d4a089e22785c93592e70a695bf4068c66dc454e0502478c0ede0e8dfdc

Download Submit
C:\Windows\QNWKRHP.exe.bat

Filesize
60B

MD5
64902fac590c02fb9375d0e327f84430

SHA1
c8c5915313fca6c5e2f2971c1aa54e5697f9f2de

SHA256
af49af4f80f22ed42e0c976863faacd4b2d3ee8b4b00df3a2413c9bbe0f4c7ad

SHA512
4921add3d21249ed04a1bbb628237ca339ce449b065e8a0075484e042d70f71e5e103bda492ba37322302405d877676440d0d2e74e733ccbecb9dd68dd1b2f69

Download Submit
C:\Windows\SysWOW64\VAMC.exe.bat

Filesize
72B

MD5
52a13f4ad523e7a961de5960694f6e3f

SHA1
27df2acbbfc1827bb658bfab4a07d5dcdddab7cf

SHA256
6740b246fe7eff4d44e9b434267a35cae87cf96198a98ede5227ef3e6823849a

SHA512
537a62e49ff033ccabd5305ac06941193ecd202feab000b10c96ee1e86a84303fccf743deb333e5835d64d2f710ae98a28452c0e073c0c663355c23bdf74ef84

Download Submit
C:\Windows\system\IFWCL.exe

Filesize
208KB

MD5
8d644ab26a83f5a28e5e4ae5d093b9f6

SHA1
23f4b848d05d195d9914cb71fa26a786ccfb2f84

SHA256
db423b67fc314c06ef6686257c30a4a4b41250dd9c7478094e8fb4240fc569a6

SHA512
b60fc9d41a5e895561f1cde9d1a55ee4d41b187e9a8325a6383ea89fbb9d711cd2c0fcba4168f06a24cd8344f2d8320514f9108b4b25d7bf000d9f4a3e4e6723

Download Submit
C:\Windows\system\IFWCL.exe.bat

Filesize
70B

MD5
68127f2673c19cc75506c878514d1818

SHA1
cc61addfc6b891c7ce07f643900bcf4b3a418b50

SHA256
a72116f02b72c3169afe1d2135a02af491893594b04dd0727437b3f9fe4ff0cf

SHA512
981b995d09c5bb4b9ac74f089cef6f1d2324e817dd7ff267c62999fafdce8a701de66bcb7078c457c0e75ecaeb5675580d0000bbfb80b330182775d0d303a640

Download Submit
C:\Windows\system\ZHMSB.exe.bat

Filesize
70B

MD5
b0e3870aeeb4f470f12a4ae0b46f8071

SHA1
293c0e592dc1f05d844832b0c91c5151a44f4836

SHA256
3dcf81d6fbc963d6a0e596500ecaff495b2131eedb37a727eb5fc8b6792b33d8

SHA512
a33ddf3d2134e9ec6b430701632e30d0fe3bd90f883d8f3fe5eec045d6de8136b173212909425bf374ec7061b2ff648553136c2323394c564c1d0ff6d77134f8

Download Submit
C:\windows\AUO.exe

Filesize
208KB

MD5
44405b3dbc32be4f5cf5ade861f781f4

SHA1
5a79697b3cd6a43f18e60482934bf31bde9f1819

SHA256
06c04c1597b117f00b2ac4ec65d452ff8fd85ebc8c03c0d90921b50675a8affa

SHA512
efbd2e6561065e531fbce42618baf646ab25027a37ee75bbd7fec23ced433509b009b3fe7ee721df004735d08d506ee0826a6e2badcd1a3e6067404bef5758fa

Download Submit
\Windows\SysWOW64\VAMC.exe

Filesize
208KB

MD5
11714c26e56164013e6dd608155ddc44

SHA1
0645548c5840037e2e92ed3942b91708075d3ff8

SHA256
c8e246f58f4ecacd0b7dc16b6e0ece962926c55630df07b4317b0e68ea58fe90

SHA512
b87a4cbea5869a551af59fe77db792c215987d3916f35b23158868ff5e01d567fa5211ed4adfdfdc4b0e946088a972488a2b9587ee5c01f67e2372ac9729e199

Download Submit
\Windows\system\IFWCL.exe

Filesize
208KB

MD5
60dee4a215e52edcad2a87792327a0e9

SHA1
8f13cfc5529685a4bc7f1d29df6528ff8502f21f

SHA256
fa9027bbcc1f8cf8f7fca32b54a2c81afb7703a4661686806a4352bb1cc3705d

SHA512
54c2f573bcf1272dc68dbdb25c845e1e84b4b93cf8e4115459d43967d98db50bf8eb0085cfff24cb31a3c1aff1aac8f8d6456d6a22c66e58122a7b61ddc502ab

Download Submit
\Windows\system\ZHMSB.exe

Filesize
208KB

MD5
b1a29f6b3eae3b25e4b1cace4c72fccc

SHA1
46abcd1589d5dc604d935bd90886557711040eb3

SHA256
1ec7a420b6f602d2f2aea6ff98bd19ca08e0e1611dcc2e07e55806623bbe2e01

SHA512
e751c49b2550b1290a6b9bbbd92786f1a7deb1dcdac97221d3e02c3afb1e53fcadb2e769fa4a82c51ffbddde05461fab9641ff92fedecf3414a596be2fa0726f

Download Submit
memory/876-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/876-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1424-28-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1628-92-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1628-91-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2468-69-0x0000000000220000-0x0000000000258000-memory.dmp

Filesize
224KB

Download
memory/2656-87-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2656-89-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2728-54-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2728-66-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2780-33-0x0000000000180000-0x00000000001B8000-memory.dmp

Filesize
224KB

Download
memory/2780-34-0x0000000000180000-0x00000000001B8000-memory.dmp

Filesize
224KB

Download
memory/2840-48-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2840-36-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2868-15-0x0000000000570000-0x00000000005A8000-memory.dmp

Filesize
224KB

Download
memory/3016-83-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3016-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download