Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 22:21
Static task
static1
Behavioral task
behavioral1
Sample
54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe
Resource
win10v2004-20241007-en
General
-
Target
54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe
-
Size
95KB
-
MD5
9b369803c5a1e0225f3265806ab8d950
-
SHA1
1bb9b3764892fb20c1714786e92da6f17fb81c03
-
SHA256
54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219
-
SHA512
5cd472bf862a7ba177358855ec3d413d5181b9b73155d430adecea510c4bb88f806d0cbac79485629466c5b6bccfcb6f22aedcee077fe7402ea92b62343222b2
-
SSDEEP
1536:bgYPhQXwIiPrrjThO+lUBrzCxry1ec7rUyj239auik53qxdbDPE8mJe/J:kYP2XerzhOUxu/XUtauiUqfbDs3Je/J
Malware Config
Signatures
-
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\IME\333.bat 54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe File opened for modification C:\Windows\IME\333.bat 54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe File created C:\Windows\IME\1.txt 54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe File opened for modification C:\Windows\IME\1.txt 54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe File opened for modification \??\c:\windows\ime\905\a.vbs cmd.exe File created C:\Windows\IME\__tmp_rar_sfx_access_check_259441097 54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe File created C:\Windows\IME\a未命名.jpg 54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe File opened for modification C:\Windows\IME\a未命名.jpg 54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2592 wrote to memory of 2120 2592 54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe 30 PID 2592 wrote to memory of 2120 2592 54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe 30 PID 2592 wrote to memory of 2120 2592 54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe 30 PID 2592 wrote to memory of 2120 2592 54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe 30 PID 2592 wrote to memory of 2120 2592 54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe 30 PID 2592 wrote to memory of 2120 2592 54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe 30 PID 2592 wrote to memory of 2120 2592 54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe 30 PID 2120 wrote to memory of 2788 2120 cmd.exe 32 PID 2120 wrote to memory of 2788 2120 cmd.exe 32 PID 2120 wrote to memory of 2788 2120 cmd.exe 32 PID 2120 wrote to memory of 2788 2120 cmd.exe 32 PID 2120 wrote to memory of 2788 2120 cmd.exe 32 PID 2120 wrote to memory of 2788 2120 cmd.exe 32 PID 2120 wrote to memory of 2788 2120 cmd.exe 32 PID 2788 wrote to memory of 2748 2788 WScript.exe 33 PID 2788 wrote to memory of 2748 2788 WScript.exe 33 PID 2788 wrote to memory of 2748 2788 WScript.exe 33 PID 2788 wrote to memory of 2748 2788 WScript.exe 33 PID 2788 wrote to memory of 2748 2788 WScript.exe 33 PID 2788 wrote to memory of 2748 2788 WScript.exe 33 PID 2788 wrote to memory of 2748 2788 WScript.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe"C:\Users\Admin\AppData\Local\Temp\54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\windows\ime\333.bat" "2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\905\a905.vbs"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\905\905.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:2748
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
921B
MD5491bdc8435bff0c077992159aeec3686
SHA1afb5fe597cd0850a0f907f70f36ee951c01edae9
SHA256f1e74a0c392bad5b5a8bb0b1c808592dca7f2f9f7dbc7f08f6d3f089436a9be2
SHA512a330510e193c26d9363c9d1930765c62a72eebeb43bc3f7e17efa4ee7038ac8663c72ccf240e9a30c2ae803ffe7630aa0e30a2dfa555b85e9f99a4df4ec9ffff
-
Filesize
98B
MD5d4e4d2395f0ae37c8f74469887420c42
SHA16aac31f197f2173591c7c3c131b811339763ba6a
SHA2568dc70d5200420fcac09b1fbe93c1bc2ee6cb27d22812bd3e5f7a70edd84a7845
SHA512b1ff3496fe98ddc34d0bfb4f661f24f3bd6df2a40d3174167f4d6a96f3cf8a400da00de9f0b57d6f04e7014228c597bcf377c8e055378421bbd2f50a4560d774
-
Filesize
2KB
MD5bf85d58b5f8c87407c68d4479c08397d
SHA1e5ef875b5e00d45b544f2b2cdc9c7dc45de2d29a
SHA2560e27eb46977ef3837953d1adefeaf7d52ea03d5743368710eda7999aaba28afd
SHA512702f91fa62bea645e04d6468f1cd299f07c8b3e21caca78cb27f90a4d0b21a9a934ab5636553414187181c1082654eb39fbcf1af3cc9ab2f651cafdf005c4985