Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-10-2024 01:03

General

  • Target

    715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe

  • Size

    841KB

  • MD5

    4a667433343828c12e9c5679f707db74

  • SHA1

    1ef28cff2d80369bece4b28b88beaf52342cc62a

  • SHA256

    715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f

  • SHA512

    c03b335895ac4a0ae9825000c4ef9d73f67e0a9475556567fdfe547ab9f03fbfa9c63a1a4db8b3cf89ddfa36b8db37d178fd3bfa3c5945519e20ef06493690b9

  • SSDEEP

    24576:muS04YNEMuExDiU6E5R9s8xY/2l/df6Ibt+rH:mq4auS+UjfU2Tf6Ibt+r

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe
    "C:\Users\Admin\AppData\Local\Temp\715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe" --install
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:2868
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows.old\WINDOWS
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1256
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Windows.old\WINDOWS"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:3008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    69339aa2b7229574a0219592f5968bc3

    SHA1

    1d1b4c2fc4bfa8014922c4c33925631ef1e04e9b

    SHA256

    c6a8a5db9fb43c31bdeae1176aeac3f56d6bad630f59469b95e9655048928b8f

    SHA512

    9030704300c8214c6a8b1863abdcd9bae5bb558c884521ba192368b4cf2956d4072f1e6d7a52b5981753648a16284b3fa40ef9263d9a6d13e8ebaf2f28a41d11

  • C:\Windows.old\WINDOWS

    Filesize

    841KB

    MD5

    4a667433343828c12e9c5679f707db74

    SHA1

    1ef28cff2d80369bece4b28b88beaf52342cc62a

    SHA256

    715b4f18f85cbea590cb0a124c8653671d954c6cab3d81a3c570140b69ee6c1f

    SHA512

    c03b335895ac4a0ae9825000c4ef9d73f67e0a9475556567fdfe547ab9f03fbfa9c63a1a4db8b3cf89ddfa36b8db37d178fd3bfa3c5945519e20ef06493690b9

  • C:\Windows\SysWOW64\WindowsInput.InstallLog

    Filesize

    224B

    MD5

    e469dda91ae810a1f94c96060f3f8a65

    SHA1

    0b4b3b0f6f937016b1e045ce5313ee2a65a38630

    SHA256

    d42fee8db8eb0e047ca53ad59b1c9bc69fe04993be36fec502e3532371908842

    SHA512

    2eb4037361c03e195c642a53f55a3182a6df19903db503060e366f2394750e64ae04fdaace61ef5a6dba649defc88322d78edd2928bc53ebd1ce11d68cc88dac

  • C:\Windows\SysWOW64\WindowsInput.InstallLog

    Filesize

    597B

    MD5

    c2291863df7c2d3038ce3c22fa276506

    SHA1

    7b7d2bc07a6c35523807342c747c9b6a19f3184e

    SHA256

    14504199bede3f46129969dbd2b7680f2e5b7fcd73a3e427ce1bb6217a6d13da

    SHA512

    00bf40174a67e3e663d18a887c5b461a1e5ead0b27f0a139d87969158c58f4ca72cfa5a731dda239356192ca4cb5ac6ae2b0e37401d534e686cabacd3cbee8fa

  • C:\Windows\SysWOW64\WindowsInput.exe

    Filesize

    21KB

    MD5

    e854a4636afc652b320e12e50ba4080e

    SHA1

    8a4ac6ecc22ee5f3a8ec846d38b41ff18c641fdc

    SHA256

    94b9c78c6fa2bf61fba20a08ad4563f7dd2f5668c28eff227965ce0a2032d5d5

    SHA512

    30aabd5079b6ed0948eb70fd18e9166096e4ba5d1d47fc35b7270f931d19bbe6cd929b6010f70297bf5272dc5a79e2523721354d211c4080d68ad8d17e316118

  • memory/2700-1-0x0000000074E70000-0x000000007541B000-memory.dmp

    Filesize

    5.7MB

  • memory/2700-2-0x0000000074E70000-0x000000007541B000-memory.dmp

    Filesize

    5.7MB

  • memory/2700-0-0x0000000074E71000-0x0000000074E72000-memory.dmp

    Filesize

    4KB

  • memory/2700-42-0x0000000074E70000-0x000000007541B000-memory.dmp

    Filesize

    5.7MB

  • memory/2868-20-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

    Filesize

    9.6MB

  • memory/2868-36-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

    Filesize

    9.6MB

  • memory/2868-23-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

    Filesize

    9.6MB

  • memory/2868-9-0x000007FEF672E000-0x000007FEF672F000-memory.dmp

    Filesize

    4KB