66cfe98bdab5ba7bc9642ae084b708deb928d4688b9bc577c5add8b021cbcafe

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

J74N3UGkQRFbJPTK.exe
Size

8.2MB
MD5

e0cf4901b5fe2a17af5a369e7faeab1b
SHA1

2d71a612c66a267d71f39769b2ab3d7e99035764
SHA256

66cfe98bdab5ba7bc9642ae084b708deb928d4688b9bc577c5add8b021cbcafe
SHA512

22dbf9e1d71822ffd6c5505a2eeffb46fbf75d5e5cec9fba619ccf78100ec9a5f6063fafce1f07bcdae3eeb8ec0732661ba15fca7bf57bb08d0943b1d0512df6
SSDEEP

196608:sfU3F+AqdanoW6dyebDOuKMXRlbO0OeRzM1Hyq:8qFovIebSDwyeZMpX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

J74N3UGkQRFbJPTK.exeVirtual.exeVirtual.exe

pid process

2832 J74N3UGkQRFbJPTK.exe
2616 Virtual.exe
2688 Virtual.exe

pid	process
2832	J74N3UGkQRFbJPTK.exe
2616	Virtual.exe
2688	Virtual.exe

Loads dropped DLL 15 IoCs

Processes:

J74N3UGkQRFbJPTK.exeJ74N3UGkQRFbJPTK.exeVirtual.exeVirtual.execmd.exe

pid	process
2484	J74N3UGkQRFbJPTK.exe
2832	J74N3UGkQRFbJPTK.exe
2832	J74N3UGkQRFbJPTK.exe
2832	J74N3UGkQRFbJPTK.exe
2616	Virtual.exe
2616	Virtual.exe
2616	Virtual.exe
2616	Virtual.exe
2616	Virtual.exe
2616	Virtual.exe
2688	Virtual.exe
2688	Virtual.exe
2688	Virtual.exe
2688	Virtual.exe
3032	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Virtual.exe

description pid process target process

PID 2688 set thread context of 3032 2688 Virtual.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2688 set thread context of 3032	2688	Virtual.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

J74N3UGkQRFbJPTK.exeJ74N3UGkQRFbJPTK.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	J74N3UGkQRFbJPTK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	J74N3UGkQRFbJPTK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Virtual.exeVirtual.execmd.exe

pid process

2616 Virtual.exe
2688 Virtual.exe
2688 Virtual.exe
3032 cmd.exe
3032 cmd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Virtual.execmd.exe

pid process

2688 Virtual.exe
3032 cmd.exe

pid	process
2616	Virtual.exe
2688	Virtual.exe
2688	Virtual.exe
3032	cmd.exe
3032	cmd.exe

pid	process
2688	Virtual.exe
3032	cmd.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

J74N3UGkQRFbJPTK.exeJ74N3UGkQRFbJPTK.exeVirtual.exeVirtual.execmd.exe

description	pid	process	target process
PID 2484 wrote to memory of 2832	2484	J74N3UGkQRFbJPTK.exe	J74N3UGkQRFbJPTK.exe
PID 2484 wrote to memory of 2832	2484	J74N3UGkQRFbJPTK.exe	J74N3UGkQRFbJPTK.exe
PID 2484 wrote to memory of 2832	2484	J74N3UGkQRFbJPTK.exe	J74N3UGkQRFbJPTK.exe
PID 2484 wrote to memory of 2832	2484	J74N3UGkQRFbJPTK.exe	J74N3UGkQRFbJPTK.exe
PID 2484 wrote to memory of 2832	2484	J74N3UGkQRFbJPTK.exe	J74N3UGkQRFbJPTK.exe
PID 2484 wrote to memory of 2832	2484	J74N3UGkQRFbJPTK.exe	J74N3UGkQRFbJPTK.exe
PID 2484 wrote to memory of 2832	2484	J74N3UGkQRFbJPTK.exe	J74N3UGkQRFbJPTK.exe
PID 2832 wrote to memory of 2616	2832	J74N3UGkQRFbJPTK.exe	Virtual.exe
PID 2832 wrote to memory of 2616	2832	J74N3UGkQRFbJPTK.exe	Virtual.exe
PID 2832 wrote to memory of 2616	2832	J74N3UGkQRFbJPTK.exe	Virtual.exe
PID 2832 wrote to memory of 2616	2832	J74N3UGkQRFbJPTK.exe	Virtual.exe
PID 2616 wrote to memory of 2688	2616	Virtual.exe	Virtual.exe
PID 2616 wrote to memory of 2688	2616	Virtual.exe	Virtual.exe
PID 2616 wrote to memory of 2688	2616	Virtual.exe	Virtual.exe
PID 2688 wrote to memory of 3032	2688	Virtual.exe	cmd.exe
PID 2688 wrote to memory of 3032	2688	Virtual.exe	cmd.exe
PID 2688 wrote to memory of 3032	2688	Virtual.exe	cmd.exe
PID 2688 wrote to memory of 3032	2688	Virtual.exe	cmd.exe
PID 2688 wrote to memory of 3032	2688	Virtual.exe	cmd.exe
PID 3032 wrote to memory of 1152	3032	cmd.exe	MSBuild.exe
PID 3032 wrote to memory of 1152	3032	cmd.exe	MSBuild.exe
PID 3032 wrote to memory of 1152	3032	cmd.exe	MSBuild.exe
PID 3032 wrote to memory of 1152	3032	cmd.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\J74N3UGkQRFbJPTK.exe
"C:\Users\Admin\AppData\Local\Temp\J74N3UGkQRFbJPTK.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\Temp\{0F42DC84-E926-4E53-AA12-209E232A53A5}\.cr\J74N3UGkQRFbJPTK.exe
"C:\Windows\Temp\{0F42DC84-E926-4E53-AA12-209E232A53A5}\.cr\J74N3UGkQRFbJPTK.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\J74N3UGkQRFbJPTK.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\Temp\{CD7ABC37-AB4B-4690-A09E-BB0CDDA6279A}\.ba\Virtual.exe
"C:\Windows\Temp\{CD7ABC37-AB4B-4690-A09E-BB0CDDA6279A}\.ba\Virtual.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2616

C:\Users\Admin\AppData\Roaming\Hfdriverv4\Virtual.exe
C:\Users\Admin\AppData\Roaming\Hfdriverv4\Virtual.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
6⤵
PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\27f20127

Filesize
3.1MB

MD5
3af35a2e007583df8310397cadf09997

SHA1
1ade90ceb6bf299d3b487cdaacd0a0e6993f594e

SHA256
f8d37e9ac992d14b40fabe49086a966054465c7d66f4b70b8434f5e4871b604f

SHA512
3b5d9a99a7c224a167e15e663069e5342f392dda73ad2c9fa0ec84a8e7f5c17c45fc3b354de16f9cbefdf2dd3c482bae8c1461c12e3615b775370713e59d30c0

Download Submit
C:\Windows\Temp\{CD7ABC37-AB4B-4690-A09E-BB0CDDA6279A}\.ba\togeroi

Filesize
93KB

MD5
6c278a8759cc3d2c20cb31b96cceffba

SHA1
c0a1f3a3e98b004f298f7fab69a7e0b2c3230390

SHA256
e37be4d4567d1bf3efd9a0e72522440e9971c2f73e162a831d163ae0abd0bba3

SHA512
6ddeebff2f0b81a0c571d54d3941b9a768fab9e5e9117f134291a17cb3fda6cd892b72b5803b7ca9b9b120e63b31794243c1e0337da815affd558905fe6dc406

Download Submit
C:\Windows\Temp\{CD7ABC37-AB4B-4690-A09E-BB0CDDA6279A}\.ba\yji

Filesize
2.8MB

MD5
4546983da706b1d902369838e3e025e8

SHA1
c1204dd491fe9cd8f66acb2e88168cf7aa8cf833

SHA256
a74d5f8def4628a3fd1cec46962b01d968a3ebd9621b293c5a314d97ca86b479

SHA512
3181519bcf5b7b0bb9572b48b2751743d83ba971e917859224bc4e0366ef6af926ebf9c353dce653c88f746a93fc16b1e0328747e9aa448f00e08ac93620062b

Download Submit
\Windows\Temp\{0F42DC84-E926-4E53-AA12-209E232A53A5}\.cr\J74N3UGkQRFbJPTK.exe

Filesize
8.1MB

MD5
29d068479a2ed134b1c00f910b739a6e

SHA1
b6586ad295c40df90bb2da169519cf2f01769dff

SHA256
914b4f330d93a980d9caa1258b862a0e6284a4c4876033d06ac0076a3180298c

SHA512
ac76f743a4ce42ea2018b5af64d7e5886a23441dc808a191e0194574ebd3daf689341b3df6ed05d4e74751d1574194b7a528c39dbaa8e380767815815aa53294

Download Submit
\Windows\Temp\{CD7ABC37-AB4B-4690-A09E-BB0CDDA6279A}\.ba\Dipterocarpaceae.dll

Filesize
3.3MB

MD5
ce0fa57391d0a30d8d4d4267cf7fc62a

SHA1
3d142ecb01fd9dd29eefb8608605435dab4f7e51

SHA256
425227a0b060a31b3f726f9fc5d3b5a3bd9739ba64204982a61204021424345e

SHA512
b83ee72ff13000cc05da27db20683f17fa1e412ee30abd5bdc920ff2146aaff45d4104d0dffd169be1afbecf58bdc76c5fd9ba6a6c498e1ea348f7686bc0f895

Download Submit
\Windows\Temp\{CD7ABC37-AB4B-4690-A09E-BB0CDDA6279A}\.ba\VBoxDDU.dll

Filesize
371KB

MD5
496df6ad1a158ed5037138e397713ef0

SHA1
287bd2219c955687baa399ded57e9ab64334c63c

SHA256
07c04290f53aaaaa7df6b6ea3a53103b6e3ef8ff658d8097617a9c48dfc6e90a

SHA512
422da26a8f50c1f02c1cc7c4bed37cdb33732039bba82f32c2a14baa8c6a7bc5544856ab26a2071b5ea8e731a296e2c69071da2f067312d05763aa3a9928bb3a

Download Submit
\Windows\Temp\{CD7ABC37-AB4B-4690-A09E-BB0CDDA6279A}\.ba\VBoxRT.dll

Filesize
4.1MB

MD5
54adad2532884cee2c8e6a085e5db58e

SHA1
f5e4d7ba3684a996f7bdeec53b66be035317c0f1

SHA256
3cff6c4268e1b10dfc740d30b14387a82f572000b30e3207984926ebd31bae5d

SHA512
32eba26f93627476011cedcfeb3070ced698f95826f1d076d5e9b210ea10c81cb15212c3293a618364dce75904ed8af4b3cc14dccf2cedc94b307637ddd59843

Download Submit
\Windows\Temp\{CD7ABC37-AB4B-4690-A09E-BB0CDDA6279A}\.ba\Virtual.exe

Filesize
3.4MB

MD5
c8a2de7077f97d4bce1a44317b49ef41

SHA1
6cb3212ec9be08cb5a29bf8d37e9ca845efc18c9

SHA256
448402c129a721812fa1c5f279f5ca906b9c8bbca652a91655d144d20ce5e6b4

SHA512
9815eba1566a8e33734f6a218071ec501dd1f799b1535e25d87c2b416b928ae8d15f8218cf20e685f9907ec39c202cbfc4728fe6ab9d87b3de345109f626845e

Download Submit
\Windows\Temp\{CD7ABC37-AB4B-4690-A09E-BB0CDDA6279A}\.ba\msvcp100.dll

Filesize
593KB

MD5
d029339c0f59cf662094eddf8c42b2b5

SHA1
a0b6de44255ce7bfade9a5b559dd04f2972bfdc8

SHA256
934d882efd3c0f3f1efbc238ef87708f3879f5bb456d30af62f3368d58b6aa4c

SHA512
021d9af52e68cb7a3b0042d9ed6c9418552ee16df966f9ccedd458567c47d70471cb8851a69d3982d64571369664faeeae3be90e2e88a909005b9cdb73679c82

Download Submit
\Windows\Temp\{CD7ABC37-AB4B-4690-A09E-BB0CDDA6279A}\.ba\msvcr100.dll

Filesize
809KB

MD5
366fd6f3a451351b5df2d7c4ecf4c73a

SHA1
50db750522b9630757f91b53df377fd4ed4e2d66

SHA256
ae3cb6c6afba9a4aa5c85f66023c35338ca579b30326dd02918f9d55259503d5

SHA512
2de764772b68a85204b7435c87e9409d753c2196cf5b2f46e7796c99a33943e167f62a92e8753eaa184cd81fb14361e83228eb1b474e0c3349ed387ec93e6130

Download Submit
memory/2616-33-0x000007FEF80F0000-0x000007FEF8248000-memory.dmp

Filesize
1.3MB

Download
memory/2688-58-0x000007FEF7F90000-0x000007FEF80E8000-memory.dmp

Filesize
1.3MB

Download
memory/2688-59-0x000007FEF7F90000-0x000007FEF80E8000-memory.dmp

Filesize
1.3MB

Download
memory/3032-62-0x00000000776B0000-0x0000000077859000-memory.dmp

Filesize
1.7MB

Download
memory/3032-109-0x0000000075030000-0x00000000751A4000-memory.dmp

Filesize
1.5MB

Download