91f4b7ae747bfd036882e084650f608782b6054ecc8ab32f5fe91b91caf80e5d

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Versium.exe
Size

746KB
MD5

393d6260e39b68b2d60300e4f62ebc83
SHA1

16c58c5b7dee3ce4c3a40925ba4eed3c188faf46
SHA256

e7431a806b1b1928256376ec29207a342f4b860f4332bb523a53ac2d9d3d35d3
SHA512

d1916b2f2f8deddf331735b4b6f4b329d65696481c6971694c3bf64fa38feda8472c700d15311aad3ec3eeae5a6f9e6c85f204f955555a57eeea131ec4e8a198
SSDEEP

6144:d/QiQXCz5m+ksmpk3U9j0IMsoxvjFEOTb9WmZX/8shzdsY4CpHPhnBvudg:VQi3zc6m6UR0IMp1hf39Wkv8xwJB2i

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Versium.tmp

pid process

2820 Versium.tmp
Loads dropped DLL 4 IoCs

Processes:

Versium.exeVersium.tmp

pid process

1420 Versium.exe
2820 Versium.tmp
2820 Versium.tmp
2820 Versium.tmp

pid	process
2820	Versium.tmp

pid	process
1420	Versium.exe
2820	Versium.tmp
2820	Versium.tmp
2820	Versium.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Versium.exeVersium.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Versium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Versium.tmp

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Versium.exe

description	pid	process	target process
PID 1420 wrote to memory of 2820	1420	Versium.exe	Versium.tmp
PID 1420 wrote to memory of 2820	1420	Versium.exe	Versium.tmp
PID 1420 wrote to memory of 2820	1420	Versium.exe	Versium.tmp
PID 1420 wrote to memory of 2820	1420	Versium.exe	Versium.tmp
PID 1420 wrote to memory of 2820	1420	Versium.exe	Versium.tmp
PID 1420 wrote to memory of 2820	1420	Versium.exe	Versium.tmp
PID 1420 wrote to memory of 2820	1420	Versium.exe	Versium.tmp

C:\Users\Admin\AppData\Local\Temp\Versium.exe
"C:\Users\Admin\AppData\Local\Temp\Versium.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Local\Temp\is-V72GQ.tmp\Versium.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-V72GQ.tmp\Versium.tmp" /SL5="$40126,506127,422400,C:\Users\Admin\AppData\Local\Temp\Versium.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-V72GQ.tmp\Versium.tmp

Filesize
1.0MB

MD5
baec3f13d8997ecbe4460979102ed0b5

SHA1
438d163c5629b89cad5ba953a881afdb9624a998

SHA256
b41f017498a1d43c409cc2c5840e31972858c59e83abf26ff9528c9908c7abbe

SHA512
b4e14a3bc115ae816e3117d15b9a19f29d00322bd32112745d241f3452ffa52ef3db710397ce80972a443dc066fadbc161d1617b728430bf542edfef16a32125

Download Submit
\Users\Admin\AppData\Local\Temp\is-K7HE4.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-K7HE4.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
memory/1420-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1420-0-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1420-24-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2820-8-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2820-22-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download