2e402d9779e3b3399479a69016a0912d2b5f705f33c2aa98dd2c819ac0829e28

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
16-11-2024 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17-10-2024 #20/app stroe.exe
Size

752KB
MD5

50b1390fe325207d2a96fc991b065030
SHA1

ee5f6c76400f1eafec18a674774e31faad150009
SHA256

eb2714d855c5896df7f2bb2c09e1db57c38e7e154c07cb96c5c9e4ec7f9422f2
SHA512

c77b1ceb70553f8250ec09e89a76c9e89c4df6bad444887559adda45effbdb6d80bf1de000d7468f2bdfd16f3015e84cfbd3070d359ed444284ca0e3d369660a
SSDEEP

12288:zhDMjlZ8RZ7QwkMSiakDdUlftrIzoJ3fVR1hj8bgn8mYvTbV9rwvjlDtghOcv:5PRZAiakEfdSQhCgn85vTJ9iwOcv

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2452	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2316	xapounq.exe
2460	~DFA1B1.tmp
2248	lohyryd.exe

Loads dropped DLL 3 IoCs

pid	Process
1736	app stroe.exe
2316	xapounq.exe
2460	~DFA1B1.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lohyryd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	app stroe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xapounq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~DFA1B1.tmp

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2248	lohyryd.exe
2248	lohyryd.exe
2248	lohyryd.exe
2248	lohyryd.exe
2248	lohyryd.exe
2248	lohyryd.exe
2248	lohyryd.exe
2248	lohyryd.exe
2248	lohyryd.exe
2248	lohyryd.exe
2248	lohyryd.exe
2248	lohyryd.exe
2248	lohyryd.exe
2248	lohyryd.exe
2248	lohyryd.exe
2248	lohyryd.exe
2248	lohyryd.exe
2248	lohyryd.exe
2248	lohyryd.exe
2248	lohyryd.exe
2248	lohyryd.exe
2248	lohyryd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2460	~DFA1B1.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2316	1736	app stroe.exe	30
PID 1736 wrote to memory of 2316	1736	app stroe.exe	30
PID 1736 wrote to memory of 2316	1736	app stroe.exe	30
PID 1736 wrote to memory of 2316	1736	app stroe.exe	30
PID 1736 wrote to memory of 2452	1736	app stroe.exe	31
PID 1736 wrote to memory of 2452	1736	app stroe.exe	31
PID 1736 wrote to memory of 2452	1736	app stroe.exe	31
PID 1736 wrote to memory of 2452	1736	app stroe.exe	31
PID 2316 wrote to memory of 2460	2316	xapounq.exe	33
PID 2316 wrote to memory of 2460	2316	xapounq.exe	33
PID 2316 wrote to memory of 2460	2316	xapounq.exe	33
PID 2316 wrote to memory of 2460	2316	xapounq.exe	33
PID 2460 wrote to memory of 2248	2460	~DFA1B1.tmp	35
PID 2460 wrote to memory of 2248	2460	~DFA1B1.tmp	35
PID 2460 wrote to memory of 2248	2460	~DFA1B1.tmp	35
PID 2460 wrote to memory of 2248	2460	~DFA1B1.tmp	35

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe
"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\xapounq.exe
  C:\Users\Admin\AppData\Local\Temp\xapounq.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\~DFA1B1.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA1B1.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Users\Admin\AppData\Local\Temp\lohyryd.exe
      "C:\Users\Admin\AppData\Local\Temp\lohyryd.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
276B

MD5
fa241bb53d778e95e5d451463e580d58

SHA1
9f6a150272a3d231fd8f22befca20ce8ce285075

SHA256
1970ccc2659cbe5a7b9b3693ae82b69ead9014a14bfe9c566c09bda1ddb053f7

SHA512
c21b676da6372a06d30bb821dec597bc323edcc580ca6c34d1ca982d2b4a067a606301226a5bf7274267f49657084168a75b167502bb76e44206147bdf3adb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
705525ab9a15f55d8d58206c5cab7890

SHA1
03be9e16fa234405fec40b5ba2386cea30e68eb9

SHA256
0be8c5c9297b49016a47be7999986e0fd31df325b7736adc2edfb6b145e6dc06

SHA512
344c0065aca3d8e84d6a396008588e0cc660939508f7a60da02f9dfdd67f21e22bc12243839cb1d5a71d3868492175af346fb5d9b312099298c0f5724e3a0a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA1B1.tmp

Filesize
758KB

MD5
6258e261b42ab339d506c8a757400664

SHA1
1373f54b08c307facc66404cc865042579415b36

SHA256
f30bc43c49de521a1b042e69cdb6bfcaef6e8aee77d0afb45d06d2807cfbb303

SHA512
7e7c5b6c1cbf150f8125245720f6380b37fc6a1eec2eec3e422d1f2725889e63c2550c53997f73e4c77a9013f214569b2fb597b4fb6ddc4b9eb6294df36265da

Download Submit
\Users\Admin\AppData\Local\Temp\lohyryd.exe

Filesize
396KB

MD5
22631c9d94a255c2c99d2ec867f63256

SHA1
9f59b244debc4f29d7b1594920bdd197a83e3a17

SHA256
52a11f86d374fc83908dd608f6a5fba1d7d2ae9cdd523042e294472209a9f433

SHA512
4e3d4d95c93af25a974ace8293870a7257d91d02cd77b0bab2b9f280a998407b2c8a186261ad9ffddedaf57909cedd005c6bc9055ad8b19dabaf47ab1e9a9de2

Download Submit
\Users\Admin\AppData\Local\Temp\xapounq.exe

Filesize
755KB

MD5
a429850d8a856a05b26fcbde2cc3c653

SHA1
df72f3905749999d61703d9c5926b48cf0f39823

SHA256
4330f158146d36be76074f53c3715085b20a26a3bb08a99e76212add02ecd863

SHA512
db7b6fe7772e2f5730a51d59f3f8a917c77b88cd258e6731b8f5938aa289a5fdcf752273f4c99c6b55a0d6471f1205896157f084ecfbdd42ed72b8d0fc650728

Download Submit
memory/1736-9-0x0000000001F40000-0x0000000002020000-memory.dmp

Filesize
896KB

Download
memory/1736-20-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1736-2-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1736-33-0x0000000001F40000-0x0000000002020000-memory.dmp

Filesize
896KB

Download
memory/2248-50-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2248-47-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2316-32-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2316-28-0x0000000002D40000-0x0000000002E20000-memory.dmp

Filesize
896KB

Download
memory/2316-22-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2460-34-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2460-46-0x0000000003E10000-0x0000000003F4E000-memory.dmp

Filesize
1.2MB

Download
memory/2460-29-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2460-49-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2460-65-0x0000000003E10000-0x0000000003F4E000-memory.dmp

Filesize
1.2MB

Download