Analysis
-
max time kernel
105s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/10/2024, 19:17
Static task
static1
Behavioral task
behavioral1
Sample
448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe
Resource
win10v2004-20240802-en
General
-
Target
448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe
-
Size
208KB
-
MD5
b396a083206a5791129b1041d7527c50
-
SHA1
a3284018452272b72c4e4465089fa062e42796f4
-
SHA256
448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2
-
SHA512
35074d7f867f6c026bda963847bccc00aa8b2f4090c72daeb5998e218081eaa992953bbd4484dbb1c8d4a422268d556fa23c221fd87390e710b12b830bb894b7
-
SSDEEP
3072:74hqYHVGwOa6Mb4GZGxEVBHOsCMldra69myY2m/oykvI6i5gevmCXRwBGa4NLthn:dYUMMy096p05gevzXRwBGaQEjE
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
pid Process 1424 AUO.exe 2840 IFWCL.exe 2728 ZHMSB.exe 3016 QNWKRHP.exe 1628 VAMC.exe -
Loads dropped DLL 6 IoCs
pid Process 2780 cmd.exe 2780 cmd.exe 2768 cmd.exe 2768 cmd.exe 2656 cmd.exe 2656 cmd.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\windows\SysWOW64\VAMC.exe QNWKRHP.exe File opened for modification C:\windows\SysWOW64\VAMC.exe QNWKRHP.exe File created C:\windows\SysWOW64\VAMC.exe.bat QNWKRHP.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\windows\AUO.exe 448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe File created C:\windows\system\IFWCL.exe.bat AUO.exe File created C:\windows\system\ZHMSB.exe IFWCL.exe File opened for modification C:\windows\system\ZHMSB.exe IFWCL.exe File created C:\windows\system\ZHMSB.exe.bat IFWCL.exe File opened for modification C:\windows\QNWKRHP.exe ZHMSB.exe File opened for modification C:\windows\AUO.exe 448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe File created C:\windows\AUO.exe.bat 448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe File created C:\windows\system\IFWCL.exe AUO.exe File opened for modification C:\windows\system\IFWCL.exe AUO.exe File created C:\windows\QNWKRHP.exe ZHMSB.exe File created C:\windows\QNWKRHP.exe.bat ZHMSB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AUO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZHMSB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QNWKRHP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VAMC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IFWCL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 876 448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe 876 448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe 1424 AUO.exe 1424 AUO.exe 2840 IFWCL.exe 2840 IFWCL.exe 2728 ZHMSB.exe 2728 ZHMSB.exe 3016 QNWKRHP.exe 3016 QNWKRHP.exe 1628 VAMC.exe 1628 VAMC.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 876 448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe 876 448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe 1424 AUO.exe 1424 AUO.exe 2840 IFWCL.exe 2840 IFWCL.exe 2728 ZHMSB.exe 2728 ZHMSB.exe 3016 QNWKRHP.exe 3016 QNWKRHP.exe 1628 VAMC.exe 1628 VAMC.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 876 wrote to memory of 2868 876 448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe 31 PID 876 wrote to memory of 2868 876 448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe 31 PID 876 wrote to memory of 2868 876 448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe 31 PID 876 wrote to memory of 2868 876 448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe 31 PID 2868 wrote to memory of 1424 2868 cmd.exe 33 PID 2868 wrote to memory of 1424 2868 cmd.exe 33 PID 2868 wrote to memory of 1424 2868 cmd.exe 33 PID 2868 wrote to memory of 1424 2868 cmd.exe 33 PID 1424 wrote to memory of 2780 1424 AUO.exe 34 PID 1424 wrote to memory of 2780 1424 AUO.exe 34 PID 1424 wrote to memory of 2780 1424 AUO.exe 34 PID 1424 wrote to memory of 2780 1424 AUO.exe 34 PID 2780 wrote to memory of 2840 2780 cmd.exe 36 PID 2780 wrote to memory of 2840 2780 cmd.exe 36 PID 2780 wrote to memory of 2840 2780 cmd.exe 36 PID 2780 wrote to memory of 2840 2780 cmd.exe 36 PID 2840 wrote to memory of 2768 2840 IFWCL.exe 37 PID 2840 wrote to memory of 2768 2840 IFWCL.exe 37 PID 2840 wrote to memory of 2768 2840 IFWCL.exe 37 PID 2840 wrote to memory of 2768 2840 IFWCL.exe 37 PID 2768 wrote to memory of 2728 2768 cmd.exe 39 PID 2768 wrote to memory of 2728 2768 cmd.exe 39 PID 2768 wrote to memory of 2728 2768 cmd.exe 39 PID 2768 wrote to memory of 2728 2768 cmd.exe 39 PID 2728 wrote to memory of 2468 2728 ZHMSB.exe 40 PID 2728 wrote to memory of 2468 2728 ZHMSB.exe 40 PID 2728 wrote to memory of 2468 2728 ZHMSB.exe 40 PID 2728 wrote to memory of 2468 2728 ZHMSB.exe 40 PID 2468 wrote to memory of 3016 2468 cmd.exe 42 PID 2468 wrote to memory of 3016 2468 cmd.exe 42 PID 2468 wrote to memory of 3016 2468 cmd.exe 42 PID 2468 wrote to memory of 3016 2468 cmd.exe 42 PID 3016 wrote to memory of 2656 3016 QNWKRHP.exe 43 PID 3016 wrote to memory of 2656 3016 QNWKRHP.exe 43 PID 3016 wrote to memory of 2656 3016 QNWKRHP.exe 43 PID 3016 wrote to memory of 2656 3016 QNWKRHP.exe 43 PID 2656 wrote to memory of 1628 2656 cmd.exe 45 PID 2656 wrote to memory of 1628 2656 cmd.exe 45 PID 2656 wrote to memory of 1628 2656 cmd.exe 45 PID 2656 wrote to memory of 1628 2656 cmd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe"C:\Users\Admin\AppData\Local\Temp\448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\windows\AUO.exe.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\windows\AUO.exeC:\windows\AUO.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\windows\system\IFWCL.exe.bat" "4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\windows\system\IFWCL.exeC:\windows\system\IFWCL.exe5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\windows\system\ZHMSB.exe.bat" "6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\windows\system\ZHMSB.exeC:\windows\system\ZHMSB.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\windows\QNWKRHP.exe.bat" "8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\windows\QNWKRHP.exeC:\windows\QNWKRHP.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\windows\system32\VAMC.exe.bat" "10⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\windows\SysWOW64\VAMC.exeC:\windows\system32\VAMC.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1628
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52B
MD5d20a07efd5e644b64b09b6a73d09d033
SHA183383ec16e278ba993ce05d81945c3deba278a3a
SHA256c03556936437e1d3fee7cd6abd020e0687dc146a247bf95d77fdac6f5f6ddaf3
SHA512900b0a3ae943cce2f1574325419ca71fd3f776d75029fda2a66063ef7a1432fb76f50d4a089e22785c93592e70a695bf4068c66dc454e0502478c0ede0e8dfdc
-
Filesize
60B
MD564902fac590c02fb9375d0e327f84430
SHA1c8c5915313fca6c5e2f2971c1aa54e5697f9f2de
SHA256af49af4f80f22ed42e0c976863faacd4b2d3ee8b4b00df3a2413c9bbe0f4c7ad
SHA5124921add3d21249ed04a1bbb628237ca339ce449b065e8a0075484e042d70f71e5e103bda492ba37322302405d877676440d0d2e74e733ccbecb9dd68dd1b2f69
-
Filesize
72B
MD552a13f4ad523e7a961de5960694f6e3f
SHA127df2acbbfc1827bb658bfab4a07d5dcdddab7cf
SHA2566740b246fe7eff4d44e9b434267a35cae87cf96198a98ede5227ef3e6823849a
SHA512537a62e49ff033ccabd5305ac06941193ecd202feab000b10c96ee1e86a84303fccf743deb333e5835d64d2f710ae98a28452c0e073c0c663355c23bdf74ef84
-
Filesize
208KB
MD58d644ab26a83f5a28e5e4ae5d093b9f6
SHA123f4b848d05d195d9914cb71fa26a786ccfb2f84
SHA256db423b67fc314c06ef6686257c30a4a4b41250dd9c7478094e8fb4240fc569a6
SHA512b60fc9d41a5e895561f1cde9d1a55ee4d41b187e9a8325a6383ea89fbb9d711cd2c0fcba4168f06a24cd8344f2d8320514f9108b4b25d7bf000d9f4a3e4e6723
-
Filesize
70B
MD568127f2673c19cc75506c878514d1818
SHA1cc61addfc6b891c7ce07f643900bcf4b3a418b50
SHA256a72116f02b72c3169afe1d2135a02af491893594b04dd0727437b3f9fe4ff0cf
SHA512981b995d09c5bb4b9ac74f089cef6f1d2324e817dd7ff267c62999fafdce8a701de66bcb7078c457c0e75ecaeb5675580d0000bbfb80b330182775d0d303a640
-
Filesize
70B
MD5b0e3870aeeb4f470f12a4ae0b46f8071
SHA1293c0e592dc1f05d844832b0c91c5151a44f4836
SHA2563dcf81d6fbc963d6a0e596500ecaff495b2131eedb37a727eb5fc8b6792b33d8
SHA512a33ddf3d2134e9ec6b430701632e30d0fe3bd90f883d8f3fe5eec045d6de8136b173212909425bf374ec7061b2ff648553136c2323394c564c1d0ff6d77134f8
-
Filesize
208KB
MD544405b3dbc32be4f5cf5ade861f781f4
SHA15a79697b3cd6a43f18e60482934bf31bde9f1819
SHA25606c04c1597b117f00b2ac4ec65d452ff8fd85ebc8c03c0d90921b50675a8affa
SHA512efbd2e6561065e531fbce42618baf646ab25027a37ee75bbd7fec23ced433509b009b3fe7ee721df004735d08d506ee0826a6e2badcd1a3e6067404bef5758fa
-
Filesize
208KB
MD511714c26e56164013e6dd608155ddc44
SHA10645548c5840037e2e92ed3942b91708075d3ff8
SHA256c8e246f58f4ecacd0b7dc16b6e0ece962926c55630df07b4317b0e68ea58fe90
SHA512b87a4cbea5869a551af59fe77db792c215987d3916f35b23158868ff5e01d567fa5211ed4adfdfdc4b0e946088a972488a2b9587ee5c01f67e2372ac9729e199
-
Filesize
208KB
MD560dee4a215e52edcad2a87792327a0e9
SHA18f13cfc5529685a4bc7f1d29df6528ff8502f21f
SHA256fa9027bbcc1f8cf8f7fca32b54a2c81afb7703a4661686806a4352bb1cc3705d
SHA51254c2f573bcf1272dc68dbdb25c845e1e84b4b93cf8e4115459d43967d98db50bf8eb0085cfff24cb31a3c1aff1aac8f8d6456d6a22c66e58122a7b61ddc502ab
-
Filesize
208KB
MD5b1a29f6b3eae3b25e4b1cace4c72fccc
SHA146abcd1589d5dc604d935bd90886557711040eb3
SHA2561ec7a420b6f602d2f2aea6ff98bd19ca08e0e1611dcc2e07e55806623bbe2e01
SHA512e751c49b2550b1290a6b9bbbd92786f1a7deb1dcdac97221d3e02c3afb1e53fcadb2e769fa4a82c51ffbddde05461fab9641ff92fedecf3414a596be2fa0726f