9dc2dcabca1538137079bb81847c1aaa9b390a54d58776b569a2fd5b3c2d14e6

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mal2/Setup.exe
Size

80KB
MD5

2a8613b7d99903516b8fe02fd820bf52
SHA1

78a96addcb556ab1d490fac80f929305263d06b9
SHA256

f1d68c5e7c7660d4f2ce412c109b7fe3e088872fa0ebe61ca9ab9dd92a496407
SHA512

af0902aeb6169ea507b787da7b61c3533df4610c3f51c1d8f65dfc9008c8ce2580f2d86a49a4d0acc2c51c731f3e4c447d0d1d8e779dc1c75e43d30b79c46436
SSDEEP

1536:9A8oAY5SXfidLez+Q+EGfdUHLLXJ+CqoVpPBucQwk7qnKXKo5OMY8xk03ben8TK:M7Ohz+Q+EGlUHLLXJ+CqoTPBucQwktXS

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

nc.exe

pid	Process
2144	nc.exe
1176

Loads dropped DLL 8 IoCs

Processes:

Setup.exemore.comAutoIt3.exeWerFault.exe

pid	Process
2496	Setup.exe
1520	more.com
2736	AutoIt3.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup.exe

description	pid	Process	procid_target
PID 2496 set thread context of 1520	2496	Setup.exe	32

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2616	2736	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Setup.exemore.comAutoIt3.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoIt3.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup.exemore.com

pid	Process
2496	Setup.exe
2496	Setup.exe
1520	more.com
1520	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Setup.exemore.com

pid	Process
2496	Setup.exe
1520	more.com

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Setup.exemore.comAutoIt3.exe

description	pid	Process	procid_target
PID 2496 wrote to memory of 2144	2496	Setup.exe	30
PID 2496 wrote to memory of 2144	2496	Setup.exe	30
PID 2496 wrote to memory of 2144	2496	Setup.exe	30
PID 2496 wrote to memory of 2144	2496	Setup.exe	30
PID 2496 wrote to memory of 1520	2496	Setup.exe	32
PID 2496 wrote to memory of 1520	2496	Setup.exe	32
PID 2496 wrote to memory of 1520	2496	Setup.exe	32
PID 2496 wrote to memory of 1520	2496	Setup.exe	32
PID 2496 wrote to memory of 1520	2496	Setup.exe	32
PID 1520 wrote to memory of 2736	1520	more.com	34
PID 1520 wrote to memory of 2736	1520	more.com	34
PID 1520 wrote to memory of 2736	1520	more.com	34
PID 1520 wrote to memory of 2736	1520	more.com	34
PID 1520 wrote to memory of 2736	1520	more.com	34
PID 1520 wrote to memory of 2736	1520	more.com	34
PID 2736 wrote to memory of 2616	2736	AutoIt3.exe	35
PID 2736 wrote to memory of 2616	2736	AutoIt3.exe	35
PID 2736 wrote to memory of 2616	2736	AutoIt3.exe	35
PID 2736 wrote to memory of 2616	2736	AutoIt3.exe	35

C:\Users\Admin\AppData\Local\Temp\mal2\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\mal2\Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Roaming\DJGB\TSWZGTNJZTN\nc.exe
  C:\Users\Admin\AppData\Roaming\DJGB\TSWZGTNJZTN\nc.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
    C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 148
      4⤵
      Loads dropped DLL
      Program crash
      PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\926e971a

Filesize
2.3MB

MD5
aafc6eb335b15925083b6dfae7d98631

SHA1
f4f2bbc9f47cfee158db2dbf49febf29dce711ca

SHA256
bc6050ddcfb4a6809bd2c454726e24d6ec901c2a480f8e5db85b54bc9c4edf76

SHA512
edc6a6ca5862fce36b4724e7138c6293adf78ffb2ad48beb05749da1688186c37abe1a0791cb4d99986464bdd94e6c33a878aee9140293c71db8e70f6ffc6a3b

Download Submit
\Users\Admin\AppData\Local\Temp\AutoIt3.exe

Filesize
921KB

MD5
3f58a517f1f4796225137e7659ad2adb

SHA1
e264ba0e9987b0ad0812e5dd4dd3075531cfe269

SHA256
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

SHA512
acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

Download Submit
\Users\Admin\AppData\Roaming\DJGB\TSWZGTNJZTN\nc.exe

Filesize
285KB

MD5
7fb44c5bca4226d8aab7398e836807a2

SHA1
47128e4f8afabfde5037ed0fcaba8752c528ff52

SHA256
a64ead73c06470bc5c84cfc231b0723d70d29fec7d385a268be2c590dc5eb1ef

SHA512
f0bd093f054c99bcc50df4005d0190bd7e3dcefea7008ae4c9b67a29e832e02ae9ff39fa75bc1352c127aeb13afdea9bfdcc238ac826ef17f288d6fbd2ec8cab

Download Submit
memory/1520-23-0x0000000073740000-0x00000000738B4000-memory.dmp

Filesize
1.5MB

Download
memory/1520-36-0x0000000073740000-0x00000000738B4000-memory.dmp

Filesize
1.5MB

Download
memory/1520-31-0x0000000073740000-0x00000000738B4000-memory.dmp

Filesize
1.5MB

Download
memory/1520-28-0x0000000073740000-0x00000000738B4000-memory.dmp

Filesize
1.5MB

Download
memory/1520-25-0x00000000773C0000-0x0000000077569000-memory.dmp

Filesize
1.7MB

Download
memory/2496-13-0x0000000073740000-0x00000000738B4000-memory.dmp

Filesize
1.5MB

Download
memory/2496-20-0x0000000073753000-0x0000000073754000-memory.dmp

Filesize
4KB

Download
memory/2496-19-0x0000000073740000-0x00000000738B4000-memory.dmp

Filesize
1.5MB

Download
memory/2496-17-0x0000000073740000-0x00000000738B4000-memory.dmp

Filesize
1.5MB

Download
memory/2496-0-0x0000000073740000-0x00000000738B4000-memory.dmp

Filesize
1.5MB

Download
memory/2496-10-0x0000000073753000-0x0000000073754000-memory.dmp

Filesize
4KB

Download
memory/2496-12-0x0000000073740000-0x00000000738B4000-memory.dmp

Filesize
1.5MB

Download
memory/2496-1-0x00000000773C0000-0x0000000077569000-memory.dmp

Filesize
1.7MB

Download
memory/2736-34-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2736-35-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2736-38-0x0000000000080000-0x00000000000F3000-memory.dmp

Filesize
460KB

Download
memory/2736-44-0x0000000000080000-0x00000000000F3000-memory.dmp

Filesize
460KB

Download