Analysis
-
max time kernel
15s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/10/2024, 00:08
Static task
static1
Behavioral task
behavioral1
Sample
1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe
Resource
win10v2004-20241007-en
General
-
Target
1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe
-
Size
14KB
-
MD5
2906e9954d3a92a8ef1775fa5e3c2580
-
SHA1
eed8ecc850cb2f9f7200f765e4789897a5c12fbd
-
SHA256
1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26
-
SHA512
09c9ef9fda2f3b5850344d06c4eaf12abea8db44d26531acce526d2694e8149723adbfc9e5de8ded896a56e05bb65c73223d5b153d1193813e7b25802cc787b1
-
SSDEEP
384:FhM8ifXjqMmzP2o9U25j7AkFI/E8mkvha1H94Ni4bhG:FhMr78it25q/EF1H9D49G
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2992 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2992 cmd.exe 1884 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1884 PING.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2432 wrote to memory of 1900 2432 1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe 28 PID 2432 wrote to memory of 1900 2432 1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe 28 PID 2432 wrote to memory of 1900 2432 1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe 28 PID 2432 wrote to memory of 1900 2432 1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe 28 PID 1900 wrote to memory of 2964 1900 csc.exe 30 PID 1900 wrote to memory of 2964 1900 csc.exe 30 PID 1900 wrote to memory of 2964 1900 csc.exe 30 PID 1900 wrote to memory of 2964 1900 csc.exe 30 PID 2432 wrote to memory of 2992 2432 1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe 31 PID 2432 wrote to memory of 2992 2432 1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe 31 PID 2432 wrote to memory of 2992 2432 1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe 31 PID 2432 wrote to memory of 2992 2432 1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe 31 PID 2992 wrote to memory of 1884 2992 cmd.exe 33 PID 2992 wrote to memory of 1884 2992 cmd.exe 33 PID 2992 wrote to memory of 1884 2992 cmd.exe 33 PID 2992 wrote to memory of 1884 2992 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe"C:\Users\Admin\AppData\Local\Temp\1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mrownrkv\mrownrkv.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB616.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9E288778C5CA4DA9AE8BF229C223A721.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2964
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe" & move "객갪갂갚객.exe" "C:\Users\Admin\AppData\Local\Temp\1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1884
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51921e997132ac3e4b26a63d37c0521db
SHA1baa3c99f66036c53fe1e9629cf2fea8f6ee9afa8
SHA2564003de5a67f1bf01781b09f7f263150127cddf7af20b095d58a29aaa9075653e
SHA51239aefadfbe57985ebd187e85d01e43543a37f7a600b80b8eed34c33fc56cdfb860e5ac149eb489e3e106f6806d0d1fa250b33251ef4ec2ce92aaaa83ec691d62
-
Filesize
14KB
MD5443e060b8e33e5d2ee663c690637ac72
SHA182e2fe71344f306ff798bfd8a43102f8d3acd0cb
SHA256d81f5d89443235a415bb8e6e46b2d657739cc3bdf7312d73da73e3d76d98e51c
SHA51211283da3526fcf5ba90176a2307dc04cfe412a52eee5bd55f79b0685372c3a3e3578eaff95b663821b1af81406ed5ba766ab1cb7d1815b67cb2f888cbd3abcf0
-
Filesize
1KB
MD5f12174e88035d2bd8b43323380b796d2
SHA1529b802a100fc6ccda2c9a68d3c78dead90a1e26
SHA2562779ec07488379c0f55509d077a25159896d51a9a30578e8df6333dbc625f1df
SHA5127c71165f473f8fa1c21bf59ac558676edad8a380ee08680235969fcdb7c47a2ec70b9eb8fb2f411f8c7cfac361346d2976082455deb944a5dc17dcef942d2096
-
Filesize
24KB
MD5e8428e274e1a83658b147771a6bdde45
SHA18e5f44e3a7f5344a2be7e08334bce584dcefb306
SHA256c24088f91834cd4205c861007a8b6f70b7545f56047c459293605bcd032b3394
SHA51200ba0e45b43cdfb00db2547ecfe4a3f8d25adc530fdfcec9355ae9f9a76d3380893013a639c34fe8b70654c6c479fd99a5141850b0428fff11c8a4941ff5202e
-
Filesize
275B
MD5bcd9cb0febc64451c04aaefe0ff92e8f
SHA1544e2fd3e6cf1cb8b769228ef151d68d150a418f
SHA2566c459d14efebdc6c792da6789b74a8cfc58ac78c4628b163742c449a090bc051
SHA5124ee1a46aa6f5cec9d24a364164e3cebca294ad62c8fd0df822ca69b2cfc131994ccbcaf9a3d54435e504e893dd4e34230e4f1650b170e49648956ba4532e3063