Analysis

  • max time kernel
    15s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    27/10/2024, 11:45

General

  • Target

    658a6a072efe4e110cf1bcacb8361192b3d62387fab0fbc294eed6903568b144N.exe

  • Size

    3.9MB

  • MD5

    413ae52d8a8a3882bb45176d2253b8d0

  • SHA1

    3b213febf0f9e83f16ea3ad6794edecc3de70afc

  • SHA256

    658a6a072efe4e110cf1bcacb8361192b3d62387fab0fbc294eed6903568b144

  • SHA512

    44c484930978adbd67946fe36d4d8209e7235b8eb669f60b1a2617b95f55a589bc73fc696c0100dad0e9950edab09c6154675605e74e04bccd52899d38f19b58

  • SSDEEP

    98304:/MDtIXLr06AdfEThF35PzuFW+Wu+cT17Ykmc8TMGbTiK7TLeLT+4mT+4HnNhNB/U:prmEdF35+CiXzjx

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\658a6a072efe4e110cf1bcacb8361192b3d62387fab0fbc294eed6903568b144N.exe
    "C:\Users\Admin\AppData\Local\Temp\658a6a072efe4e110cf1bcacb8361192b3d62387fab0fbc294eed6903568b144N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\zbe20241027114540338.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\SysWOW64\schtasks.exe
        Schtasks.Exe /delete /tn "Maintenance" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2872
      • C:\Windows\SysWOW64\schtasks.exe
        Schtasks.Exe /create /tn "Maintenance" /xml "C:\Users\Admin\AppData\Local\Temp\zx20241027114540338.xml"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2476
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\zb20241027114540338.bat" "
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Windows\SysWOW64\chcp.com
        chcp 1251
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1228
      • C:\Users\Admin\AppData\Local\Temp\658a6a072efe4e110cf1bcacb8361192b3d62387fab0fbc294eed6903568b144N.exe
        "C:\Users\Admin\AppData\Local\Temp\658a6a072efe4e110cf1bcacb8361192b3d62387fab0fbc294eed6903568b144N.exe"
        3⤵
        • Executes dropped EXE
        PID:2880
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 3 /nobreak
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:2972

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\zb20241027114540338.bat

          Filesize

          768B

          MD5

          cd72d2f4156a7696edfa253a71704d7f

          SHA1

          5e3ecaa7c4d1319306a4781beb476cf0f951ab9d

          SHA256

          c5d9896c1ef0beed07785be3401eb911523efce7fc569f6ba5184450dd2b4bf2

          SHA512

          ca409285ac8ae2047451276cbbce974d9741384afcc9abc8bdf7b5fcb8a588f60f37aac49099d895636b5fd1a7e2d5c1a11e7fbbcdaa3e570b5bf985b061f382

        • C:\Users\Admin\AppData\Local\Temp\zbe20241027114540338.bat

          Filesize

          324B

          MD5

          8e1538e96332ff7b60ac15d330af55d3

          SHA1

          161e7a00371107c55c4a3cb9505820d1b4c02bc6

          SHA256

          b73afc146054375209038ac660656a077d10e8256b1a2757126d8e5492e6117d

          SHA512

          9cbd7145117486ef3935a789e68622ce2942f807eb4133bba955283339af0891857c5ef98944f713c10903f25493ea41aedd1fe62aebc7bad76fe21bc85291fb

        • C:\Users\Admin\AppData\Local\Temp\ze20241027114540338.tmp

          Filesize

          3.9MB

          MD5

          21989db4b6cc664577d426658cb0855d

          SHA1

          01aa4808329a7f34b57dfbf345eda27f97d65369

          SHA256

          870251d3d6c50b2ed787595a49e945d9ea26e0e3ff2a556c5c40a483215afae1

          SHA512

          e4ef93f7e5f26c347cc7fabb0c04a37f03c620f77486fe82ae17327ff035ac2dd9b80e77a156bef70de42c70c57dfd79908f2572abc487824b10eb1aa0ce71ed

        • C:\Users\Admin\AppData\Local\Temp\zx20241027114540338.xml

          Filesize

          1KB

          MD5

          e2943f1f3851cc465d729fbb717f161c

          SHA1

          2d9ec1338337f3c459d57edfe918c8592a7a72a3

          SHA256

          285dfe3365fc4e552000a4a89c84532e46ef2e82b50336cbfd74abe9634e3eec

          SHA512

          cba16639eec6acefe692fc845b8f6a21940459f9416f59dfafa5883cb26377ad2b86a66112f12141df318cc12419c40a87d7d6bacd83d83c89a1f16523942989