Overview

overview

10

Static

static

1

7b6e6212a6...43.exe

windows7-x64

7

7b6e6212a6...43.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-11-2024 18:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7b6e6212a6d13800282bd2cb362c2a311d89e543.exe

  • Size

    20.4MB

  • MD5

    3c387c0db035c0c3185d6fbd1ab46bd1

  • SHA1

    7b6e6212a6d13800282bd2cb362c2a311d89e543

  • SHA256

    a1720d68eef7dc381a533fd8584a227db3dbcaed16098a0d7f31077f95355e8c

  • SHA512

    a6e431c98cafaf3762d5d1d60ab337d4a002c0dd90ae830d6b513c97e333adc3bdf8ce70ad65d6149878fb48d94b762902038d44909b662603c6082997071e76

  • SSDEEP

    393216:xrjU2t/X9E3JMUNccjPql0NbgVunl22V5v+8gDRmffwuvO:tjU2p9EZvNdjP6Kbaunldv+8ORmXwu2

Score
7/10
discoveryexecution

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b6e6212a6d13800282bd2cb362c2a311d89e543.exe
    "C:\Users\Admin\AppData\Local\Temp\7b6e6212a6d13800282bd2cb362c2a311d89e543.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Users\Admin\AppData\Local\Temp\is-7J7G0.tmp\7b6e6212a6d13800282bd2cb362c2a311d89e543.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-7J7G0.tmp\7b6e6212a6d13800282bd2cb362c2a311d89e543.tmp" /SL5="$400E4,18032967,815616,C:\Users\Admin\AppData\Local\Temp\7b6e6212a6d13800282bd2cb362c2a311d89e543.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:796
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\is-1BTT3.tmp\ExtractedContent.ps1"
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1780

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Advanced IP Scanner\is-PENLF.tmp
    Filesize

    1KB

    MD5

    88b009ccacf0eb1b4a141470d3f160c4

    SHA1

    ee0d1a44562ccdedbcde92d232fa541f53826b4b

    SHA256

    d2254ed99166a12ce00f93379142acfcbf9a49af3fb8789e8215b0c1cccb4587

    SHA512

    d07c7b90a12e7e48a90bf450a57e4479ae5bb130efe9950a316d9a7ab9063d94af0f35942925aca41a7c2c149a0f31a075c38dd0b34821f88bd81588660d0be1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-1BTT3.tmp\ExtractedContent.ps1
    Filesize

    2.9MB

    MD5

    e7db56615c92704e45d5832f1eb94c65

    SHA1

    4d36d413e1b76d76a2e0420c70a093bbe460a209

    SHA256

    7e80dde6044a5ae063e01d834953dea9ebf6f83f8ae43b2f407eafc17d6b33c6

    SHA512

    41d807e82d3987fd73107c4cb9a15b5b6992e2fc8f2064d5ed39b88820769ee9236b1d053b419723f89dfa4a0b6ea4d1b6f37aa2334d1542201ff7fb0a6e05a4

    Download Submit

  • \Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe
    Filesize

    1.6MB

    MD5

    b3411927cc7cd05e02ba64b2a789bbde

    SHA1

    b26cfde4ca74d5d5377889bba5b60b5fc72dda75

    SHA256

    4b036cc9930bb42454172f888b8fde1087797fc0c9d31ab546748bd2496bd3e5

    SHA512

    732c750fa31d31bf4c5143938096feb37df5e18751398babd05c01d0b4e5350238b0de02d0cdfd5ba6d1b942cb305be091aac9fe0aad9fc7ba7e54a4dbc708fd

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-7J7G0.tmp\7b6e6212a6d13800282bd2cb362c2a311d89e543.tmp
    Filesize

    3.2MB

    MD5

    77264dbcb409de0c426bd5088b0fbe09

    SHA1

    11c02946ea15eea615ede3ed5597ed223d3879cf

    SHA256

    85c71bb847f0b29db1d790c631d586167942ffceae96605f5673438fe3c8dd1a

    SHA512

    5604a2fee723cea3238aca10dd44e1b1a4d5316a1e2c860619e34b9076fee501e9a9fc22c7e3e3dad1fdc7690f1992a57778b74b40fe6f3307085549ccfc6a83

    Download Submit

  • memory/796-8-0x0000000000100000-0x0000000000101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/796-12-0x0000000000100000-0x0000000000101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/796-11-0x0000000000970000-0x0000000000CA4000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/796-14-0x0000000000970000-0x0000000000CA4000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/796-16-0x0000000000970000-0x0000000000CA4000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/796-308-0x0000000000970000-0x0000000000CA4000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2524-10-0x0000000000D70000-0x0000000000E45000-memory.dmp

    Filesize

    852KB

    Download

  • memory/2524-2-0x0000000000D71000-0x0000000000E19000-memory.dmp

    Filesize

    672KB

    Download

  • memory/2524-0-0x0000000000D70000-0x0000000000E45000-memory.dmp

    Filesize

    852KB

    Download

  • memory/2524-309-0x0000000000D70000-0x0000000000E45000-memory.dmp

    Filesize

    852KB

    Download