012cf7c1e90a4c1a39fc5f747cced00b5066ce23e1949b089df06c2216b9024f

Analysis

max time kernel
135s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
14-10-2024 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stop Moodle.exe
Size

20KB
MD5

c86eb0d98cee9414d1e3e9cba8f7d0ed
SHA1

3b5b0a169f96389dd3760e9d54ea71efbdab399d
SHA256

012cf7c1e90a4c1a39fc5f747cced00b5066ce23e1949b089df06c2216b9024f
SHA512

b47fe369354debbd5050f5aca4f01a2a55ef5cfc82000adb12167b2679add9f2097e7fd99184530631842cd14f69792bb32b07916e474d9cf3e3e43442b808c6
SSDEEP

192:oeBLV0pidqqBR5Fhp8cdwpHR3AkPLiM79mLU2PcQ6ShcOm:oeZqqv5FZdgAkTiM79mgLOcOm

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1536	b2e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stop Moodle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2e.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 1536	4184	Stop Moodle.exe	72
PID 4184 wrote to memory of 1536	4184	Stop Moodle.exe	72
PID 4184 wrote to memory of 1536	4184	Stop Moodle.exe	72
PID 1536 wrote to memory of 4736	1536	b2e.exe	73
PID 1536 wrote to memory of 4736	1536	b2e.exe	73
PID 1536 wrote to memory of 4736	1536	b2e.exe	73
PID 1536 wrote to memory of 4492	1536	b2e.exe	76
PID 1536 wrote to memory of 4492	1536	b2e.exe	76
PID 1536 wrote to memory of 4492	1536	b2e.exe	76

C:\Users\Admin\AppData\Local\Temp\Stop Moodle.exe
"C:\Users\Admin\AppData\Local\Temp\Stop Moodle.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Users\Admin\AppData\Local\Temp\5B8D.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5B8D.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5B8D.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\Stop Moodle.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5C2A.tmp\batchfile.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5B8D.tmp\b2e.exe

Filesize
8KB

MD5
086a33e2abce74042a6c20374b7f061c

SHA1
4b346237e3a2d839aaafbefaa8fac7cace1a0c17

SHA256
3a829f3dc66b5d060910189447a1ad50443ea01880235d097a2baa2169ead15a

SHA512
0276ba390415b1296be6f73bbb6b2423e81cac8adb1a7cd498afafff5e41f938f29e1e3ff5dff0a2e363414e0062754069c0f19340333ccbeef8a8494a80f228

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C2A.tmp\batchfile.bat

Filesize
205B

MD5
3e0a729d8f098b7c12d469dfb4bf51ea

SHA1
9571441685ec6b716d3bd6553285be34a91e375d

SHA256
50ebc7cb7415c7d1f73c8e6dd52edf59f67a9ffcac98002a101a1adb450bbb6e

SHA512
b7ddb3d811d9549aedbf160a3f13350dec57c1a31ededc8de6a38d4e98e619db3dd8a03337b2cc4684241cc718e5b651a4ef5d53a5092230307b6f3073c1397c

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat

Filesize
158B

MD5
feb735383f05801a36a078eeed27e48d

SHA1
b9a0e9c442282b8e5c6b84986084b85d567db4a6

SHA256
8c4690563ce197f5dc0910b632373f35b955a22e4ed001c5499a34936e09266e

SHA512
b259a5e5153bb4ed2db5e284ab12920f998a4abc784201a73e55371f61c3d6ddee32d5f507f4ad094c0c69dd9ef00a9351eb916ccf0c46a7d13c2bcadd5b6767

Download Submit
memory/1536-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1536-13-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1536-17-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4184-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4184-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download