Analysis

  • max time kernel
    121s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/10/2024, 01:06

General

  • Target

    9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe

  • Size

    2.1MB

  • MD5

    8e3c20227c45fb59c9a595c3a78448de

  • SHA1

    85b16583812a18d1d718222bd423dc0dd92eaddb

  • SHA256

    9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81

  • SHA512

    30fdcf629c43cc0ed2118a3d4ddb591d803b93e2b54c3451b7f046d662315dd5a0916ec4a22068d423a977e6847b697a8f597b749f7a505dda3b660486f7c9e1

  • SSDEEP

    49152:g727d7A7yD7q7yD72747q7yD7A7yD7q7yDD:g65MmD2mD6c2mDMmD2mDD

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Executes dropped EXE 6 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe
    "C:\Users\Admin\AppData\Local\Temp\9d8133b2138a8f1e1e2035d0b8a82827675d77e6307ccd943f209ca5e7e5ba81.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2400
    • C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      2⤵
      • Impair Defenses: Safe Mode Boot
      • System Location Discovery: System Language Discovery
      • Modifies registry key
      PID:2668
    • C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:320
      • C:\Users\Admin\AppData\Local\Temp\avscan.exe
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2564
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\windows\W_X_C.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\windows\hosts.exe
          C:\windows\hosts.exe
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:528
          • C:\Users\Admin\AppData\Local\Temp\avscan.exe
            C:\Users\Admin\AppData\Local\Temp\avscan.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2068
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c c:\windows\W_X_C.bat
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2160
            • C:\windows\hosts.exe
              C:\windows\hosts.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2856
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
              6⤵
              • Adds policy Run key to start application
              • System Location Discovery: System Language Discovery
              PID:2408
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2164
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:828
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2008
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1344
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
          4⤵
          • Adds policy Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2988
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2504
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2404
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:1940
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:1628
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\windows\hosts.exe
        C:\windows\hosts.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2660
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        3⤵
        • Adds policy Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2980

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    4.2MB

    MD5

    d6d4d02e23b7d2f825e658bc8f485170

    SHA1

    9c44926d5619860203a64ae70bcf1e02e5b4d666

    SHA256

    6ea875fb194948b92a1934cb8bc518737e4c9ee436da3a1c68e35c6525f422f3

    SHA512

    61feee0438a6187230da74fbf5059a1a8b416c7217bdee6d4c462f4570df7b15371325a14f5d9bd3ecd5b2e7eff8bd697674489271b639b1688d1ad7862b1f31

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    6.3MB

    MD5

    9a89847130e84878d0e03d42c7a0cb83

    SHA1

    f8d0a2f36c74b28229a57861c9d2985417b6c90d

    SHA256

    3c338bcdaa66fc51d78e03ea43bc1b287056c19edcd7fc45fa5d1cd1424ac523

    SHA512

    bfbd885f4bcda64bddf86f09e36f02df4a1c800786f6ec57e86dd1a83761d8f16e363d76b2f5547efd72c537e472e768781609eaca1f8253ec6ac46f49a44134

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    8.3MB

    MD5

    4d94501c6c22373d75756e49c4eeaf10

    SHA1

    e25f6f84c3a440b0db2d6dd916c6e9716bc26f6c

    SHA256

    d127fe03023c75bf48e6f9ad7c57e9ffa5ff32bbbb45dc36b92bcaa32675eb27

    SHA512

    f3b80be44d9b382a8083d6b0bbd7f8e349202ade3d7f2f21cfb42a51fff598e89eab18f0e6862a3922568a6dfcd35502738fcf9ec128b2e2ade078e79d37fad6

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    10.4MB

    MD5

    c69023dd7537344590ec403a9e02f308

    SHA1

    4e354c57f7bb06518b1cceaa6ebbae6dc4767331

    SHA256

    061653f10f8316064136cb3c7aa33e1fb797f02fbec417d70ab62746484a36f0

    SHA512

    14e26581b32798769b6178552db96c19db51f108ed8b877b7aa40ce9925342a14b65c020ac10f417d950084fabe60ff69fa17ea876b91aee39306dade41ee7ad

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    12.5MB

    MD5

    2986d0b1449712c5dfa95f3cdd3f5b16

    SHA1

    f6369261e7f5f0cbf0a81dc1371f9dba9e20f82a

    SHA256

    914e198cc8f68a95ecdd435813935c4936b1cc2c99c50f8bce200bb7c622f473

    SHA512

    a939f0906f6247ae165f36f08975fbdae7d072ac38cf137f18b2484e969e70cb8e7aef43a9068ef991dc9b2f9e25f968cf37b00a0ffbefa39a723e533d8f4db7

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    16.7MB

    MD5

    c922367db7938e318ad3b676aca6853f

    SHA1

    67c70f079b66d31664a33184006642e68caa2d46

    SHA256

    8e4aee862f051876b3fcee2f87d2b81d3fb083d33d7c24f3e6f0fd6f9b7ea0a7

    SHA512

    a9ad926556f50831dae307ef5c4ba85d90e079e1c942ad4f6fb9c8d11afbf3393b90962808ff22f7560702e0251996278e4c3f043057655eb416c20a8eb9deed

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    16.7MB

    MD5

    29011c7035c9073fda65d572eb57e4af

    SHA1

    63dccd55d21d6a01ad7ea9505c9ad02130d8f377

    SHA256

    65c1cd81012ecc74bc38e10f6c7c2ec23a71508ab4a207757026f5de2ac9fcbd

    SHA512

    6a48bf047022ce9581ae9c8c4bfac2f8dd7bf32aef6d7749269d8ad90eb0f23cb2ec0a45770d73e27dca81b3599548b6ce8535937bf05cd14fe43a41f5b4bf30

  • C:\Windows\W_X_C.vbs

    Filesize

    195B

    MD5

    3c4e84045a74e5f159fa3f27f6c7fd04

    SHA1

    b094707d7433252e936e8877f7979a5d6eb92313

    SHA256

    ca96696a0a3986bf08859c1db04be21dbd09ac1421649ab970b437e560ff5944

    SHA512

    37bfc7c5fa0dbf998cd6e856b53483dc53acac2c4f8544e122e43bc96fe55f1880ad7fe5069f4fe2e23affd3671f999ae805023a501ffd4b41644fc5579777a3

  • C:\Windows\hosts.exe

    Filesize

    2.1MB

    MD5

    9ce9e6938972d42866faf4e710bd8952

    SHA1

    9f8b6496561d591e6187eed95f4284dcb33cca75

    SHA256

    a346efab5e56ff7385cae953872b09edca0bdc6542d1578e912a47f54c1ca068

    SHA512

    f49919f0ba88b84d48f51e30213f02bb59886f8f874912eca747f90303605c12fa431f77dd88ea973af681ef6066ab7571c89ebb0debc030a6bb75d3130f57c1

  • \??\c:\windows\W_X_C.bat

    Filesize

    336B

    MD5

    4db9f8b6175722b62ececeeeba1ce307

    SHA1

    3b3ba8414706e72a6fa19e884a97b87609e11e47

    SHA256

    d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

    SHA512

    1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    2.1MB

    MD5

    973c91ff228ae8fd2e883e2334b67fef

    SHA1

    fe1ced2a781febdef84e479472aa9456fec1cf8c

    SHA256

    d2b994d285e70626ce30846dbf64c2a2b401189428223358aa6f0eb7ed8048d8

    SHA512

    3ac1d8196095d0b4ade2a827e0328b8cc1b8382ff57ed6fb202ccb65230d9a60440f2049d78173af94912b7feeb9d8d8ceb3231973cc98ee8384f83e79ebd58b

  • memory/2652-63-0x0000000002550000-0x0000000002650000-memory.dmp

    Filesize

    1024KB

  • memory/2836-64-0x00000000023B0000-0x00000000024B0000-memory.dmp

    Filesize

    1024KB