Analysis

  • max time kernel
    106s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 01:33

General

  • Target

    7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe

  • Size

    3.2MB

  • MD5

    e547e76f0f4d9826d52b97c35ef3322f

  • SHA1

    40598d7df8245c5ee9842003bb6761b4254ac8af

  • SHA256

    7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd

  • SHA512

    33128f802bee7c0fb98ba4fdd194bc418ee17a83c5ae37ab4d02b39ac448fba776cd51c2e8ec2ba1fd947bb1e23724c3cf7f5615fd24e5a4abe8d4cddaa2e3b9

  • SSDEEP

    49152:98jKMvDBNjvsJRYKg2lr+N+Hx99OF1mBwNBeN2t+uxUAj49WIxF:gKMvDBBvsJGt2lr+NSYMGeEgUUbW0

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe
    "C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\update.bat
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Windows\SysWOW64\timeout.exe
        TIMEOUT /T 2
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:2996
      • C:\Windows\SysWOW64\timeout.exe
        TIMEOUT /T 3
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:2096
      • C:\Program Files (x86)\rvsolbevkh\pdcosw.exe
        "C:\Program Files (x86)\rvsolbevkh\pdcosw.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\update.bat

    Filesize

    218B

    MD5

    755ae2509932ae47b07c7b96b3ea41bf

    SHA1

    8b27354184939c4483d0c07bc0b067af13617e9f

    SHA256

    e326773bedbc28e66842933901c9a277960dbf17e4cdf40465bbd39e14701b0f

    SHA512

    e4cbff4b674d3e72efdd3e949b1ddff681b60c9f9999f3767101fb189e349fbf2b3fd9c2c5242090863257c441294127f12615a49353f2ff551ee61366f69ad5

  • C:\Windows\Synaptics.7z

    Filesize

    320B

    MD5

    3ce00833d4427d727d98f8f4105ad476

    SHA1

    119e9267eb9e33346fd3344024619c9edc42c43d

    SHA256

    0188fec66b72b38273b934e4f3c91b9e713d21f6aaac1ca012a69e956e5b1cc8

    SHA512

    913e1207043a4e46261d9de697d2e10580ad276b1b17ddd166ece0583e6f251607e59881006afbe43795b68ea0bb2c967b4b78797ce195d21d28491a733aeea1

  • C:\Windows\Synaptics.rs

    Filesize

    320B

    MD5

    ea29a928121503e9659a143a41bcc81a

    SHA1

    bb39d03bbd600d6ffdb9b763797493eaccd61f64

    SHA256

    e90a70e3fd28c4b44e1e3c5e2fd6993e31f1821cefd305a227393c9fb9013a13

    SHA512

    52119eb71742b63f215443389d3e39148131ca5ba0b3675b27c7ecf297fabb5b0ac80bc8a5f609482afb30778e5ffc7ce590815500e1c752eee807446e25c399

  • \Program Files (x86)\rvsolbevkh\pdcosw.exe

    Filesize

    3.2MB

    MD5

    e547e76f0f4d9826d52b97c35ef3322f

    SHA1

    40598d7df8245c5ee9842003bb6761b4254ac8af

    SHA256

    7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd

    SHA512

    33128f802bee7c0fb98ba4fdd194bc418ee17a83c5ae37ab4d02b39ac448fba776cd51c2e8ec2ba1fd947bb1e23724c3cf7f5615fd24e5a4abe8d4cddaa2e3b9

  • memory/2840-22-0x0000000000350000-0x000000000035B000-memory.dmp

    Filesize

    44KB

  • memory/2840-18-0x0000000000350000-0x000000000035B000-memory.dmp

    Filesize

    44KB

  • memory/2904-0-0x0000000000260000-0x000000000026B000-memory.dmp

    Filesize

    44KB

  • memory/2904-1-0x0000000000260000-0x000000000026B000-memory.dmp

    Filesize

    44KB