ff5c94afd5b02948e0e830c8761a653d46f05b111657b86cf671887dbe231804

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-10-2024 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff5c94afd5b02948e0e830c8761a653d46f05b111657b86cf671887dbe231804N.exe
Size

88KB
MD5

08a16556138e4cc799ec6fbe70bc1c40
SHA1

57de00f57bf9f3a116b867e6f4aaffe997954440
SHA256

ff5c94afd5b02948e0e830c8761a653d46f05b111657b86cf671887dbe231804
SHA512

7a05d6bbab4292b0edebaec00ed70c5ccb3da69f338ac9be62d711bd906d9de0f99feb04886da053f9381827f0bfaafd00a94fb51a89370051a8270dedeff23d
SSDEEP

1536:7ybcULYv/kTTeTFPkLartLSy0cYw+qYkD1mBUveDKQ7VKChlfg30oc5R+alodboP:7yFLYv/2qwgz0vwZmBUmD9hKANzoc5Rl

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2704	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TabbtnEx = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\3565\\TabbtnEx.exe"	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff5c94afd5b02948e0e830c8761a653d46f05b111657b86cf671887dbe231804N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2980	ff5c94afd5b02948e0e830c8761a653d46f05b111657b86cf671887dbe231804N.exe
2980	ff5c94afd5b02948e0e830c8761a653d46f05b111657b86cf671887dbe231804N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2704	2980	ff5c94afd5b02948e0e830c8761a653d46f05b111657b86cf671887dbe231804N.exe	30
PID 2980 wrote to memory of 2704	2980	ff5c94afd5b02948e0e830c8761a653d46f05b111657b86cf671887dbe231804N.exe	30
PID 2980 wrote to memory of 2704	2980	ff5c94afd5b02948e0e830c8761a653d46f05b111657b86cf671887dbe231804N.exe	30
PID 2980 wrote to memory of 2704	2980	ff5c94afd5b02948e0e830c8761a653d46f05b111657b86cf671887dbe231804N.exe	30

C:\Users\Admin\AppData\Local\Temp\ff5c94afd5b02948e0e830c8761a653d46f05b111657b86cf671887dbe231804N.exe
"C:\Users\Admin\AppData\Local\Temp\ff5c94afd5b02948e0e830c8761a653d46f05b111657b86cf671887dbe231804N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  - Deletes itself
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\3565\cf69488d

Filesize
32B

MD5
37c6390dd905b3159cc5be0b513360df

SHA1
d1fc5d4c936a0e5d39492b8d8871a3ec551915a9

SHA256
30bfe203488ff6f7f275ae0c4187467599b1b9005f01e48edd95d0feb8b842b0

SHA512
cef48ef4725bd62ed5b4d36296fa047c48d842b6e9d5a2f16e9cbc11244cfa42088dd0cc47116c1c3a041c439026bb03a5ce73c2e3e05fae65d5efcffb526391

Download Submit
C:\Users\Admin\AppData\Roaming\-815183731

Filesize
208B

MD5
3627c8580b615c620b8ca748c092b572

SHA1
8b56f2e54e2876f17ae89a67ff8b8cb20813f436

SHA256
171764a8237371581439375839e3d5ae1ca25d253f315d506344af8bd2bdcee4

SHA512
8f4b41367c260d27829fb2aae9b05dc4d5df37916a60a88acbbd241669ae9e4732ea2f314a71ac77345f1f34c505683c402e2e58c7deeb40078c4cc4a0376574

Download Submit
memory/2704-12-0x0000000000B10000-0x0000000000B2B000-memory.dmp

Filesize
108KB

Download
memory/2704-13-0x0000000000B10000-0x0000000000B2B000-memory.dmp

Filesize
108KB

Download
memory/2704-15-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download
memory/2704-19-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download
memory/2980-0-0x0000000000080000-0x00000000000A6000-memory.dmp

Filesize
152KB

Download
memory/2980-9-0x0000000000160000-0x000000000016B000-memory.dmp

Filesize
44KB

Download
memory/2980-1-0x0000000000160000-0x000000000016B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads