Analysis

  • max time kernel
    15s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/10/2024, 00:08

General

  • Target

    1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe

  • Size

    14KB

  • MD5

    2906e9954d3a92a8ef1775fa5e3c2580

  • SHA1

    eed8ecc850cb2f9f7200f765e4789897a5c12fbd

  • SHA256

    1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26

  • SHA512

    09c9ef9fda2f3b5850344d06c4eaf12abea8db44d26531acce526d2694e8149723adbfc9e5de8ded896a56e05bb65c73223d5b153d1193813e7b25802cc787b1

  • SSDEEP

    384:FhM8ifXjqMmzP2o9U25j7AkFI/E8mkvha1H94Ni4bhG:FhMr78it25q/EF1H9D49G

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe
    "C:\Users\Admin\AppData\Local\Temp\1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mrownrkv\mrownrkv.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB616.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9E288778C5CA4DA9AE8BF229C223A721.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2964
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe" & move "객갪갂갚객.exe" "C:\Users\Admin\AppData\Local\Temp\1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 1000
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESB616.tmp

    Filesize

    1KB

    MD5

    1921e997132ac3e4b26a63d37c0521db

    SHA1

    baa3c99f66036c53fe1e9629cf2fea8f6ee9afa8

    SHA256

    4003de5a67f1bf01781b09f7f263150127cddf7af20b095d58a29aaa9075653e

    SHA512

    39aefadfbe57985ebd187e85d01e43543a37f7a600b80b8eed34c33fc56cdfb860e5ac149eb489e3e106f6806d0d1fa250b33251ef4ec2ce92aaaa83ec691d62

  • C:\Users\Admin\AppData\Local\Temp\객갪갂갚객.exe

    Filesize

    14KB

    MD5

    443e060b8e33e5d2ee663c690637ac72

    SHA1

    82e2fe71344f306ff798bfd8a43102f8d3acd0cb

    SHA256

    d81f5d89443235a415bb8e6e46b2d657739cc3bdf7312d73da73e3d76d98e51c

    SHA512

    11283da3526fcf5ba90176a2307dc04cfe412a52eee5bd55f79b0685372c3a3e3578eaff95b663821b1af81406ed5ba766ab1cb7d1815b67cb2f888cbd3abcf0

  • \??\c:\Users\Admin\AppData\Local\Temp\CSC9E288778C5CA4DA9AE8BF229C223A721.TMP

    Filesize

    1KB

    MD5

    f12174e88035d2bd8b43323380b796d2

    SHA1

    529b802a100fc6ccda2c9a68d3c78dead90a1e26

    SHA256

    2779ec07488379c0f55509d077a25159896d51a9a30578e8df6333dbc625f1df

    SHA512

    7c71165f473f8fa1c21bf59ac558676edad8a380ee08680235969fcdb7c47a2ec70b9eb8fb2f411f8c7cfac361346d2976082455deb944a5dc17dcef942d2096

  • \??\c:\Users\Admin\AppData\Local\Temp\mrownrkv\mrownrkv.0.cs

    Filesize

    24KB

    MD5

    e8428e274e1a83658b147771a6bdde45

    SHA1

    8e5f44e3a7f5344a2be7e08334bce584dcefb306

    SHA256

    c24088f91834cd4205c861007a8b6f70b7545f56047c459293605bcd032b3394

    SHA512

    00ba0e45b43cdfb00db2547ecfe4a3f8d25adc530fdfcec9355ae9f9a76d3380893013a639c34fe8b70654c6c479fd99a5141850b0428fff11c8a4941ff5202e

  • \??\c:\Users\Admin\AppData\Local\Temp\mrownrkv\mrownrkv.cmdline

    Filesize

    275B

    MD5

    bcd9cb0febc64451c04aaefe0ff92e8f

    SHA1

    544e2fd3e6cf1cb8b769228ef151d68d150a418f

    SHA256

    6c459d14efebdc6c792da6789b74a8cfc58ac78c4628b163742c449a090bc051

    SHA512

    4ee1a46aa6f5cec9d24a364164e3cebca294ad62c8fd0df822ca69b2cfc131994ccbcaf9a3d54435e504e893dd4e34230e4f1650b170e49648956ba4532e3063

  • memory/2432-0-0x00000000747EE000-0x00000000747EF000-memory.dmp

    Filesize

    4KB

  • memory/2432-1-0x0000000000B70000-0x0000000000B7A000-memory.dmp

    Filesize

    40KB

  • memory/2432-2-0x00000000003B0000-0x00000000003B8000-memory.dmp

    Filesize

    32KB

  • memory/2432-3-0x00000000747E0000-0x0000000074ECE000-memory.dmp

    Filesize

    6.9MB

  • memory/2432-16-0x00000000003F0000-0x00000000003FA000-memory.dmp

    Filesize

    40KB

  • memory/2432-20-0x00000000747E0000-0x0000000074ECE000-memory.dmp

    Filesize

    6.9MB