2e402d9779e3b3399479a69016a0912d2b5f705f33c2aa98dd2c819ac0829e28

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-11-2024 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17-10-2024 #20/MulDrop.exe
Size

437KB
MD5

40e4282c65ce4cfeb5e566c6a3a713e0
SHA1

a3d786888ee84957cbea5d6879d7915a2f0ecd16
SHA256

68473e5f20e5a30b4bfffe86da83a30e5faada6b8824f894aad776b0b1f8106e
SHA512

0fc7e4c3155299580a6a497cc52cb504c124e16f8147b7c9a95b4fe6521481cf927512e5339dff0d78dda55e1c3c92de97a3b4b44fa3ff6b323de99a5dd2b09b
SSDEEP

6144:hH71iYqhwk9/U3ZfFAxljjF0OQTPGo/o51BeLZ+gneQX9c9wPetx3VC7wiywNA3R:BDqhwss3M/mjHqTeLcgeg9cWWT0RuR

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2024	_bbg.exe

Loads dropped DLL 1 IoCs

pid	Process
352	MulDrop.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MulDrop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_bbg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2024	_bbg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 352 wrote to memory of 2024	352	MulDrop.exe	30
PID 352 wrote to memory of 2024	352	MulDrop.exe	30
PID 352 wrote to memory of 2024	352	MulDrop.exe	30
PID 352 wrote to memory of 2024	352	MulDrop.exe	30

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MulDrop.exe
"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MulDrop.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:352
- C:\Users\Admin\AppData\Local\Temp\sfx1\_bbg.exe
  C:\Users\Admin\AppData\Local\Temp\sfx1\_bbg.exe /sfxv:3.1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\Users\Admin\AppData\Local\Temp\sfx1\BB40eng.dix

Filesize
42KB

MD5
a8ffd569876199f144568bb7767d2b6f

SHA1
517dc551ba76d5565a4b2dac49951073553af265

SHA256
845bdef261b041fddd45a44b3b05b52bd16d4b9f423b5e52654a168452ec2930

SHA512
5abd433d8f97ce5a3686333ced77c0e5cc02147874fdecb08c3b2352b9840b3ac4dccfae242fdf0f8a5e5a41c4ba64f9dd9c840b9fd4a2607e656d6f60fbc473

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sfx1\tex_def.jpg

Filesize
2KB

MD5
8a8fa3d4bcbaa146d6d992cb41a17cb6

SHA1
ba029352f097f5091cbe7edd16f596f0e648472d

SHA256
03a9b3d2b445a8e4aeae2076c550d6acff401cbc331d29928ab4a33e0e7fda0a

SHA512
c776834e5613a62a3361a82c9c5cf1bef8e6c1f774a696315c05c2f17e13a3cc30db167b7696f57c134a232efc7e0feb2f8dc9a91522b4aee9b6417acba8dc80

Download Submit
\??\c:\users\admin\appdata\local\temp\sfx1\bbgift.puz

Filesize
46KB

MD5
200648833c230b76686bda1c0df905e5

SHA1
85f83493ecdd04dcce193f710b39a8475474e084

SHA256
a6e044bf66f82c2f2e669f7402704a16a35e5703c25fc2deafb077976e677934

SHA512
d61808f1c408a047646ed9fd49785f99dead9a601b28df17fb72c79ffb468d3898c4176364dd46b0b825415406271269fb49afd0d4bbc2993c349a4e78d5e68c

Download Submit
\Users\Admin\AppData\Local\Temp\sfx1\_bbg.exe

Filesize
636KB

MD5
f7a897d1732db96df3339644257ffdf5

SHA1
ff844b877dea6f74978067c606c6ef4b161e9afc

SHA256
7761b022a2f03d7965c189d28a7c5cfc773e691a4dd20af23ed8ec2b73c9e199

SHA512
0958e6ad3925178a5ff67f174b1f29f510c84a99840b8d97f0538f625666baa6363bfdedc66f2d2d8b566c36b192cd39d5984738675a59ad153db5871789f8d9

Download Submit