c6897ee5e6e0c63e0cf1866460859894664359d397f9d453546adf12c7794818

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/11/2024, 04:18 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file3.exe
Size

743KB
MD5

4d4bc0c39fc901c1a86ef43fc3bf189a
SHA1

4736a94c30917e695ebf58f674632575e383d571
SHA256

1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494
SHA512

62bcb7214a1f7c3143ee69f4b188cfea38369d2d7b736891bc1a280334cfd2c31d994f99a1da890203ea638ff17b82c4481f765de4bb9ff3b37dcdc11f46dee6
SSDEEP

12288:pY20AljdZgBPfKf8+QxAogJfqsUsz0cX0eqUW7Yo63X7ZqNFi2fMM7Ms:e20gPgFKU+QxAVBbIcXT07YoCSNhp

Score

8^/10

discovery evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2816	attrib.exe

Executes dropped EXE 2 IoCs

pid	Process
2796	Sgsmmodul.com
2844	mmscx.exe

Loads dropped DLL 3 IoCs

pid	Process
2612	cmd.exe
2804	cmd.exe
2804	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmscx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sgsmmodul.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
2008	timeout.exe
2228	timeout.exe
2832	timeout.exe
1972	timeout.exe
2884	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2004	taskkill.exe
1692	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	1692	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2704	2180	file3.exe	30
PID 2180 wrote to memory of 2704	2180	file3.exe	30
PID 2180 wrote to memory of 2704	2180	file3.exe	30
PID 2180 wrote to memory of 2704	2180	file3.exe	30
PID 2180 wrote to memory of 2704	2180	file3.exe	30
PID 2180 wrote to memory of 2704	2180	file3.exe	30
PID 2180 wrote to memory of 2704	2180	file3.exe	30
PID 2704 wrote to memory of 2612	2704	WScript.exe	31
PID 2704 wrote to memory of 2612	2704	WScript.exe	31
PID 2704 wrote to memory of 2612	2704	WScript.exe	31
PID 2704 wrote to memory of 2612	2704	WScript.exe	31
PID 2704 wrote to memory of 2612	2704	WScript.exe	31
PID 2704 wrote to memory of 2612	2704	WScript.exe	31
PID 2704 wrote to memory of 2612	2704	WScript.exe	31
PID 2612 wrote to memory of 2884	2612	cmd.exe	33
PID 2612 wrote to memory of 2884	2612	cmd.exe	33
PID 2612 wrote to memory of 2884	2612	cmd.exe	33
PID 2612 wrote to memory of 2884	2612	cmd.exe	33
PID 2612 wrote to memory of 2884	2612	cmd.exe	33
PID 2612 wrote to memory of 2884	2612	cmd.exe	33
PID 2612 wrote to memory of 2884	2612	cmd.exe	33
PID 2612 wrote to memory of 2796	2612	cmd.exe	34
PID 2612 wrote to memory of 2796	2612	cmd.exe	34
PID 2612 wrote to memory of 2796	2612	cmd.exe	34
PID 2612 wrote to memory of 2796	2612	cmd.exe	34
PID 2612 wrote to memory of 2796	2612	cmd.exe	34
PID 2612 wrote to memory of 2796	2612	cmd.exe	34
PID 2612 wrote to memory of 2796	2612	cmd.exe	34
PID 2612 wrote to memory of 2008	2612	cmd.exe	35
PID 2612 wrote to memory of 2008	2612	cmd.exe	35
PID 2612 wrote to memory of 2008	2612	cmd.exe	35
PID 2612 wrote to memory of 2008	2612	cmd.exe	35
PID 2612 wrote to memory of 2008	2612	cmd.exe	35
PID 2612 wrote to memory of 2008	2612	cmd.exe	35
PID 2612 wrote to memory of 2008	2612	cmd.exe	35
PID 2612 wrote to memory of 2964	2612	cmd.exe	36
PID 2612 wrote to memory of 2964	2612	cmd.exe	36
PID 2612 wrote to memory of 2964	2612	cmd.exe	36
PID 2612 wrote to memory of 2964	2612	cmd.exe	36
PID 2612 wrote to memory of 2964	2612	cmd.exe	36
PID 2612 wrote to memory of 2964	2612	cmd.exe	36
PID 2612 wrote to memory of 2964	2612	cmd.exe	36
PID 2612 wrote to memory of 2228	2612	cmd.exe	37
PID 2612 wrote to memory of 2228	2612	cmd.exe	37
PID 2612 wrote to memory of 2228	2612	cmd.exe	37
PID 2612 wrote to memory of 2228	2612	cmd.exe	37
PID 2612 wrote to memory of 2228	2612	cmd.exe	37
PID 2612 wrote to memory of 2228	2612	cmd.exe	37
PID 2612 wrote to memory of 2228	2612	cmd.exe	37
PID 2964 wrote to memory of 2804	2964	WScript.exe	38
PID 2964 wrote to memory of 2804	2964	WScript.exe	38
PID 2964 wrote to memory of 2804	2964	WScript.exe	38
PID 2964 wrote to memory of 2804	2964	WScript.exe	38
PID 2964 wrote to memory of 2804	2964	WScript.exe	38
PID 2964 wrote to memory of 2804	2964	WScript.exe	38
PID 2964 wrote to memory of 2804	2964	WScript.exe	38
PID 2804 wrote to memory of 2816	2804	cmd.exe	40
PID 2804 wrote to memory of 2816	2804	cmd.exe	40
PID 2804 wrote to memory of 2816	2804	cmd.exe	40
PID 2804 wrote to memory of 2816	2804	cmd.exe	40
PID 2804 wrote to memory of 2816	2804	cmd.exe	40
PID 2804 wrote to memory of 2816	2804	cmd.exe	40
PID 2804 wrote to memory of 2816	2804	cmd.exe	40
PID 2804 wrote to memory of 2832	2804	cmd.exe	41

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2816	attrib.exe
2012	attrib.exe

C:\Users\Admin\AppData\Local\Temp\file3.exe
"C:\Users\Admin\AppData\Local\Temp\file3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\tetracom.vbs" /f=CREATE_NO_WINDOW install.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\NSpack\updIns\44t.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 7
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2884
  - - C:\NSpack\updIns\Sgsmmodul.com
      "Sgsmmodul.com" e -pEktfsdu78s8f87Ap8pHr6Mqaq9SQ mit.rar
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2796
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 6
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2008
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\sevenup.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\NSpack\updIns\gg4359.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2804
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\NSpack\updIns"
        6⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2816
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2832
      - C:\NSpack\updIns\mmscx.exe
        
        mmscx.exe /start
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2844
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Sgsmmodul.com
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Sgsmmodul.com
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib -s -h "C:\NSpack\updIns"
        6⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2012
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 4
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1972
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 8
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\NSpack\updIns\44t.bat

Filesize
315B

MD5
96c69dbc1233bfa7c5e883658e0758d4

SHA1
613179fa74db9e71516bdb3a93341e9d90c4ecba

SHA256
deb0fa40647bb04decbdf7e62fd62985bceb5a47ab5f15556763b8db1266acde

SHA512
43d0621374de43a216086807ac90f3dac4339975cfca251e762c84680bbe4932dfcfee9d08e5c2ff113fa2b4db50e4e8ede960864da34d8905e76851ed91e0d3

Download Submit
C:\NSpack\updIns\dc.isi

Filesize
255KB

MD5
fbd467e1613c53b03376e987f3dbf2da

SHA1
e2ca3ff625122f49e8a382dee32d0ca2f98648bf

SHA256
cca183bc9bb6e35a4713e1e25e80147ff5ab3857984a22ce74b5836f6e98ab68

SHA512
e2cf3762d688a9d4b43224e86a258751085734af3da3bac93cc3baabb8499b2147c8026dcfc9745fedc5b906116cf1e59f010ad342b43ae242dbc47755fc0e05

Download Submit
C:\NSpack\updIns\gg4359.bat

Filesize
872B

MD5
b4be21a8f4bb91b11ccaf08b39b679d5

SHA1
b3da567bb1072168b54866ee29301bde61bdc45e

SHA256
35e6fbd496632c91eb924e1d3b7749eeba36125bc4551624786b171bea1d465d

SHA512
a52f7e9ad3ae76abe66920608c8b33a899ace0a4f4600903dc721a822114d5928cd85701a7405ef8ee1dc1aaa295174124a63ccec3e3fd3e347f01dbb2011f3c

Download Submit
C:\NSpack\updIns\sevenup.vbs

Filesize
104B

MD5
6a551928353982ab64107a4929c91c91

SHA1
b68ee5e77a722638f184d0fbf6a4834bb8cc188e

SHA256
0281bbb85161fdb990c6f1c149a7e4bbaafe262f028e4fb66ffa995e2c4a45f3

SHA512
870ef201fafd9d0036dcb4ea912676157075089390c9fecd0ad45d805e38bd74c5dc1fd413e9b765df50249628968ef8684b1b9ea57e2340769553e818c2159d

Download Submit
C:\NSpack\updIns\tetracom.vbs

Filesize
91B

MD5
bdc0fb5cada9a89f074961224aaf4e63

SHA1
9284fe4ecc0fde705fc596dd89191c02915fd7a4

SHA256
b6156e744da7ffcd5e47e78d487b2ad78b1babf44aaa4145d706247f308106db

SHA512
83cdf2cdc78106075fe5d8dfaa84fabae7251e76d8b706e74491291a03366bacd94ede79893e62f62f52c13c4cf1e5b5e53ebd49942d3789b01724464ee6ee28

Download Submit
\NSpack\updIns\Sgsmmodul.com

Filesize
551KB

MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
\NSpack\updIns\mmscx.exe

Filesize
593KB

MD5
3e79f72a8ae481ac76a69ccf1213d24d

SHA1
de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2

SHA256
1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4

SHA512
2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90

Download Submit
memory/2804-43-0x0000000000180000-0x00000000001E7000-memory.dmp

Filesize
412KB

Download
memory/2804-42-0x0000000000180000-0x00000000001E7000-memory.dmp

Filesize
412KB

Download
memory/2844-45-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.