d4743839921a329fea3bfe312d35dca9587dd78bc1456564b1f8cd9b9c91aec7

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-10-2024 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4743839921a329fea3bfe312d35dca9587dd78bc1456564b1f8cd9b9c91aec7.exe
Size

1.1MB
MD5

375e2a945d06a836e9cc77afa959ffcb
SHA1

cfe02cd13597d8380f3e9cf84f43b135cb8a7760
SHA256

d4743839921a329fea3bfe312d35dca9587dd78bc1456564b1f8cd9b9c91aec7
SHA512

6e7ab0ccb5982b0e4407a01cd4718fc218730baca4a27f1337b21f394ec99feda8fb4cc61e1adce3f75af87cd4cfff315ce90ee7c235ced8f1d077cfae94caf7
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qu:CcaClSFlG4ZM7QzMl

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4743839921a329fea3bfe312d35dca9587dd78bc1456564b1f8cd9b9c91aec7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2124	d4743839921a329fea3bfe312d35dca9587dd78bc1456564b1f8cd9b9c91aec7.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2124	d4743839921a329fea3bfe312d35dca9587dd78bc1456564b1f8cd9b9c91aec7.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2124	d4743839921a329fea3bfe312d35dca9587dd78bc1456564b1f8cd9b9c91aec7.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2124	d4743839921a329fea3bfe312d35dca9587dd78bc1456564b1f8cd9b9c91aec7.exe
2124	d4743839921a329fea3bfe312d35dca9587dd78bc1456564b1f8cd9b9c91aec7.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2508	2124	d4743839921a329fea3bfe312d35dca9587dd78bc1456564b1f8cd9b9c91aec7.exe	30
PID 2124 wrote to memory of 2508	2124	d4743839921a329fea3bfe312d35dca9587dd78bc1456564b1f8cd9b9c91aec7.exe	30
PID 2124 wrote to memory of 2508	2124	d4743839921a329fea3bfe312d35dca9587dd78bc1456564b1f8cd9b9c91aec7.exe	30
PID 2124 wrote to memory of 2508	2124	d4743839921a329fea3bfe312d35dca9587dd78bc1456564b1f8cd9b9c91aec7.exe	30

C:\Users\Admin\AppData\Local\Temp\d4743839921a329fea3bfe312d35dca9587dd78bc1456564b1f8cd9b9c91aec7.exe
"C:\Users\Admin\AppData\Local\Temp\d4743839921a329fea3bfe312d35dca9587dd78bc1456564b1f8cd9b9c91aec7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
cc2b50ff17476305856daf0770c7c3f0

SHA1
0a6db35b0b089b6c312f216cac3039e022eba8ba

SHA256
e9a8ba134ff4b37dbe6a7d2f669de2ad9b72cce77fe50d51039d2a3378df4bc9

SHA512
6a0432106997bb1c6e8f66e80e325d2f2eefadb36c2ada2535eab442280806c696d41d069b3d37200d82b7ea641b1439dabdb8268b53c8fb68fe318d122a757a

Download Submit
memory/2124-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download