030324e0a31427fd63213acd29f3cdf5b445a6ec03eb803fb08dbf3a0c1b258b

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/11/2024, 14:07 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EQ_AW24 New Order Request.xlx.exe
Size

656KB
MD5

ca2ed1b927f4bee1cd1f24bb19f4c0e1
SHA1

d1b7dc1cc0412301c61660d0d5cb02d20a6aa77d
SHA256

030324e0a31427fd63213acd29f3cdf5b445a6ec03eb803fb08dbf3a0c1b258b
SHA512

153939e1eeaeb2e3d4fc9f487ce039fde403a18ea94466c55c53ce5e00aefa59ae3324c03687c1794c7d321da9b2dced1bca2a658d5da54e0acb76dfff4d3da7
SSDEEP

12288:cT02YrvZq2mPKxG3sfYFwJH9ZzkwGQWOsKWLCp6X9uruAK5Gi:cTbYdqfKxG3swyVk7QWOhW+p6NBAWGi

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2648	EQ_AW24 New Order Request.xlx.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2648	EQ_AW24 New Order Request.xlx.exe
2680	EQ_AW24 New Order Request.xlx.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2648 set thread context of 2680	2648	EQ_AW24 New Order Request.xlx.exe	30

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\slutstrenge.tri	EQ_AW24 New Order Request.xlx.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\Semiprofessionalized248\evaluxir.pra	EQ_AW24 New Order Request.xlx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQ_AW24 New Order Request.xlx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQ_AW24 New Order Request.xlx.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2648	EQ_AW24 New Order Request.xlx.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2680	2648	EQ_AW24 New Order Request.xlx.exe	30
PID 2648 wrote to memory of 2680	2648	EQ_AW24 New Order Request.xlx.exe	30
PID 2648 wrote to memory of 2680	2648	EQ_AW24 New Order Request.xlx.exe	30
PID 2648 wrote to memory of 2680	2648	EQ_AW24 New Order Request.xlx.exe	30
PID 2648 wrote to memory of 2680	2648	EQ_AW24 New Order Request.xlx.exe	30
PID 2648 wrote to memory of 2680	2648	EQ_AW24 New Order Request.xlx.exe	30

C:\Users\Admin\AppData\Local\Temp\EQ_AW24 New Order Request.xlx.exe
"C:\Users\Admin\AppData\Local\Temp\EQ_AW24 New Order Request.xlx.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\EQ_AW24 New Order Request.xlx.exe
  "C:\Users\Admin\AppData\Local\Temp\EQ_AW24 New Order Request.xlx.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:2680

Network

DNS

sierrassinfinusadas.com.ar

EQ_AW24 New Order Request.xlx.exe

Remote address:

8.8.8.8:53

Request

sierrassinfinusadas.com.ar

IN A

Response

sierrassinfinusadas.com.ar

IN A

167.250.5.91

167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

407 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

369 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

288 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

EQ_AW24 New Order Request.xlx.exe

190 B
92 B
4
2
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

407 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

369 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

288 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

EQ_AW24 New Order Request.xlx.exe

190 B
92 B
4
2
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

407 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

369 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

288 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

EQ_AW24 New Order Request.xlx.exe

190 B
92 B
4
2
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

407 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

369 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

288 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

EQ_AW24 New Order Request.xlx.exe

190 B
92 B
4
2
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

407 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

369 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

288 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

EQ_AW24 New Order Request.xlx.exe

190 B
92 B
4
2
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

407 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

369 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

288 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

EQ_AW24 New Order Request.xlx.exe

190 B
92 B
4
2
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

407 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

369 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

288 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

EQ_AW24 New Order Request.xlx.exe

190 B
92 B
4
2
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

407 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

369 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

288 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

EQ_AW24 New Order Request.xlx.exe

190 B
92 B
4
2
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

407 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

369 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

288 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

EQ_AW24 New Order Request.xlx.exe

190 B
92 B
4
2
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

407 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

369 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

288 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

EQ_AW24 New Order Request.xlx.exe

190 B
92 B
4
2
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

407 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

369 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

288 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

EQ_AW24 New Order Request.xlx.exe

190 B
92 B
4
2
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

407 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

369 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

tls

EQ_AW24 New Order Request.xlx.exe

288 B
219 B
5
5
167.250.5.91:443

sierrassinfinusadas.com.ar

EQ_AW24 New Order Request.xlx.exe

190 B
92 B
4
2

8.8.8.8:53

sierrassinfinusadas.com.ar

dns

EQ_AW24 New Order Request.xlx.exe

72 B
88 B
1
1

DNS Request

sierrassinfinusadas.com.ar

DNS Response

167.250.5.91

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nstEF30.tmp\System.dll

Filesize
12KB

MD5
564bb0373067e1785cba7e4c24aab4bf

SHA1
7c9416a01d821b10b2eef97b80899d24014d6fc1

SHA256
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

SHA512
22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

Download Submit
memory/2648-10-0x00000000779E1000-0x0000000077AE2000-memory.dmp

Filesize
1.0MB

Download
memory/2648-11-0x00000000779E0000-0x0000000077B89000-memory.dmp

Filesize
1.7MB

Download
memory/2680-12-0x00000000779E0000-0x0000000077B89000-memory.dmp

Filesize
1.7MB

Download
memory/2680-13-0x00000000004B0000-0x0000000001512000-memory.dmp

Filesize
16.4MB

Download
memory/2680-14-0x00000000779E0000-0x0000000077B89000-memory.dmp

Filesize
1.7MB

Download