05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 18:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe
Size

208KB
MD5

be19846d55bddda28c0be81c3cdbb835
SHA1

e901993a98a3611a90c6c6c903f7e6415b14b87f
SHA256

05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67
SHA512

1b6a7c1ac14dede1ba20f80ce5fb92514a611df54e169a1c1974465a950691e434a602b0d829503028163eb3900b4822cdcb19b71e80a9e79185e29f10ed0ad7
SSDEEP

3072:qVzfDascJ5hrdVn0zrWwskaJDals3Aka4jd7e4NLthEjQT6+:qhfMrDnwRsJglyAka4ByQEjM

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1848	OLJH.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\OLJH.exe	05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe
File opened for modification	C:\windows\OLJH.exe	05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe
File created	C:\windows\OLJH.exe.bat	05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OLJH.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2328	05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe
1848	OLJH.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2328	05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe
2328	05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe
1848	OLJH.exe
1848	OLJH.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2252	2328	05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe	30
PID 2328 wrote to memory of 2252	2328	05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe	30
PID 2328 wrote to memory of 2252	2328	05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe	30
PID 2328 wrote to memory of 2252	2328	05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe	30
PID 2252 wrote to memory of 1848	2252	cmd.exe	32
PID 2252 wrote to memory of 1848	2252	cmd.exe	32
PID 2252 wrote to memory of 1848	2252	cmd.exe	32
PID 2252 wrote to memory of 1848	2252	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe
"C:\Users\Admin\AppData\Local\Temp\05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\OLJH.exe.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\windows\OLJH.exe
    C:\windows\OLJH.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\OLJH.exe

Filesize
208KB

MD5
d18dd22960aeb3a1aa74ee224ffa0569

SHA1
b5f9efb0f33480406cd22769c99db7e4ff2c07d3

SHA256
fa096686e8463370214681284e3a8d60b4559eb592b3b0f93a06e4af8a249094

SHA512
88742d9fc961ee8acdca13ad10852c81440d35d77d82a495274459324537c63a374317b54c766d8449df90d58d58ac04e385e30a39b28a33c30d0c1d0d07b87c

Download Submit
C:\Windows\OLJH.exe.bat

Filesize
54B

MD5
a59ca273906aca7798cf5e5603fab166

SHA1
df233befc341eec83cbdfac8ef77ad73d60f766b

SHA256
62b83ad5a16358e19612e646294ad8a7b4f1b89874201cfc314dea4160688ec8

SHA512
d993cc8b4e525954277b99cc079dbd753141e479fe0986eda9409f5a02d38f5364dade406d78da86811ba3b696f68a6ec70d73c204a8a607bf39b9d953404593

Download Submit
memory/1848-16-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1848-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2328-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2328-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download