46ad206fa4fd79cc79a34252b1ce148c4558d17dc132fc397ae5f4f7090a8723

Analysis

max time kernel
83s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46ad206fa4fd79cc79a34252b1ce148c4558d17dc132fc397ae5f4f7090a8723.exe
Size

995KB
MD5

2bb39f47f37a58cfc83e061f2bb29bfd
SHA1

4f54efaeb7ac015bd168e4e9dd10119a46d8aab2
SHA256

46ad206fa4fd79cc79a34252b1ce148c4558d17dc132fc397ae5f4f7090a8723
SHA512

46f081e54d6745f97c9e88b614d103d272a2ec1809ae85f7bf91183d2e717a65030f822936364d0fdde580d03e12d2a554fd8de3297e3f9211e8075a8fe4e019
SSDEEP

24576:qGRzatThRiVNbLGJv6plFh9iGa2oMYMgdsHGV:D8TjFJspDLoVMgdkq

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2552	@AEC9A5.tmp.exe
1276	46ad206fa4fd79cc79a34252b1ce148c4558d17dc132fc397ae5f4f7090a8723.exe
1724	WdExt.exe
2588	module_launcher.exe
1700	kb50145.exe
624	injector_s.exe

Loads dropped DLL 14 IoCs

pid	Process
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2552	@AEC9A5.tmp.exe
2980	cmd.exe
2980	cmd.exe
1724	WdExt.exe
1916	cmd.exe
1916	cmd.exe
2400	cmd.exe
2400	cmd.exe
1700	kb50145.exe
1700	kb50145.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Admin\\module_launcher.exe\""	module_launcher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WdExt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	injector_s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46ad206fa4fd79cc79a34252b1ce148c4558d17dc132fc397ae5f4f7090a8723.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@AEC9A5.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46ad206fa4fd79cc79a34252b1ce148c4558d17dc132fc397ae5f4f7090a8723.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	module_launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kb50145.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2552	@AEC9A5.tmp.exe
1724	WdExt.exe
2588	module_launcher.exe
2588	module_launcher.exe
2588	module_launcher.exe
2588	module_launcher.exe
2588	module_launcher.exe
2588	module_launcher.exe
624	injector_s.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	624	injector_s.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1276	46ad206fa4fd79cc79a34252b1ce148c4558d17dc132fc397ae5f4f7090a8723.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 2028	1056	46ad206fa4fd79cc79a34252b1ce148c4558d17dc132fc397ae5f4f7090a8723.exe	29
PID 1056 wrote to memory of 2028	1056	46ad206fa4fd79cc79a34252b1ce148c4558d17dc132fc397ae5f4f7090a8723.exe	29
PID 1056 wrote to memory of 2028	1056	46ad206fa4fd79cc79a34252b1ce148c4558d17dc132fc397ae5f4f7090a8723.exe	29
PID 1056 wrote to memory of 2028	1056	46ad206fa4fd79cc79a34252b1ce148c4558d17dc132fc397ae5f4f7090a8723.exe	29
PID 1056 wrote to memory of 2028	1056	46ad206fa4fd79cc79a34252b1ce148c4558d17dc132fc397ae5f4f7090a8723.exe	29
PID 1056 wrote to memory of 2028	1056	46ad206fa4fd79cc79a34252b1ce148c4558d17dc132fc397ae5f4f7090a8723.exe	29
PID 2028 wrote to memory of 2552	2028	explorer.exe	30
PID 2028 wrote to memory of 2552	2028	explorer.exe	30
PID 2028 wrote to memory of 2552	2028	explorer.exe	30
PID 2028 wrote to memory of 2552	2028	explorer.exe	30
PID 2028 wrote to memory of 1276	2028	explorer.exe	31
PID 2028 wrote to memory of 1276	2028	explorer.exe	31
PID 2028 wrote to memory of 1276	2028	explorer.exe	31
PID 2028 wrote to memory of 1276	2028	explorer.exe	31
PID 2552 wrote to memory of 2980	2552	@AEC9A5.tmp.exe	32
PID 2552 wrote to memory of 2980	2552	@AEC9A5.tmp.exe	32
PID 2552 wrote to memory of 2980	2552	@AEC9A5.tmp.exe	32
PID 2552 wrote to memory of 2980	2552	@AEC9A5.tmp.exe	32
PID 2552 wrote to memory of 2252	2552	@AEC9A5.tmp.exe	33
PID 2552 wrote to memory of 2252	2552	@AEC9A5.tmp.exe	33
PID 2552 wrote to memory of 2252	2552	@AEC9A5.tmp.exe	33
PID 2552 wrote to memory of 2252	2552	@AEC9A5.tmp.exe	33
PID 2980 wrote to memory of 1724	2980	cmd.exe	36
PID 2980 wrote to memory of 1724	2980	cmd.exe	36
PID 2980 wrote to memory of 1724	2980	cmd.exe	36
PID 2980 wrote to memory of 1724	2980	cmd.exe	36
PID 1724 wrote to memory of 1916	1724	WdExt.exe	37
PID 1724 wrote to memory of 1916	1724	WdExt.exe	37
PID 1724 wrote to memory of 1916	1724	WdExt.exe	37
PID 1724 wrote to memory of 1916	1724	WdExt.exe	37
PID 1916 wrote to memory of 2588	1916	cmd.exe	39
PID 1916 wrote to memory of 2588	1916	cmd.exe	39
PID 1916 wrote to memory of 2588	1916	cmd.exe	39
PID 1916 wrote to memory of 2588	1916	cmd.exe	39
PID 1916 wrote to memory of 2588	1916	cmd.exe	39
PID 1916 wrote to memory of 2588	1916	cmd.exe	39
PID 1916 wrote to memory of 2588	1916	cmd.exe	39
PID 2588 wrote to memory of 2400	2588	module_launcher.exe	40
PID 2588 wrote to memory of 2400	2588	module_launcher.exe	40
PID 2588 wrote to memory of 2400	2588	module_launcher.exe	40
PID 2588 wrote to memory of 2400	2588	module_launcher.exe	40
PID 2588 wrote to memory of 2400	2588	module_launcher.exe	40
PID 2588 wrote to memory of 2400	2588	module_launcher.exe	40
PID 2588 wrote to memory of 2400	2588	module_launcher.exe	40
PID 2400 wrote to memory of 1700	2400	cmd.exe	42
PID 2400 wrote to memory of 1700	2400	cmd.exe	42
PID 2400 wrote to memory of 1700	2400	cmd.exe	42
PID 2400 wrote to memory of 1700	2400	cmd.exe	42
PID 2400 wrote to memory of 1700	2400	cmd.exe	42
PID 2400 wrote to memory of 1700	2400	cmd.exe	42
PID 2400 wrote to memory of 1700	2400	cmd.exe	42
PID 1700 wrote to memory of 624	1700	kb50145.exe	43
PID 1700 wrote to memory of 624	1700	kb50145.exe	43
PID 1700 wrote to memory of 624	1700	kb50145.exe	43
PID 1700 wrote to memory of 624	1700	kb50145.exe	43
PID 1700 wrote to memory of 624	1700	kb50145.exe	43
PID 1700 wrote to memory of 624	1700	kb50145.exe	43
PID 1700 wrote to memory of 624	1700	kb50145.exe	43
PID 1700 wrote to memory of 2472	1700	kb50145.exe	44
PID 1700 wrote to memory of 2472	1700	kb50145.exe	44
PID 1700 wrote to memory of 2472	1700	kb50145.exe	44
PID 1700 wrote to memory of 2472	1700	kb50145.exe	44
PID 1700 wrote to memory of 2472	1700	kb50145.exe	44
PID 1700 wrote to memory of 2472	1700	kb50145.exe	44

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\46ad206fa4fd79cc79a34252b1ce148c4558d17dc132fc397ae5f4f7090a8723.exe
  "C:\Users\Admin\AppData\Local\Temp\46ad206fa4fd79cc79a34252b1ce148c4558d17dc132fc397ae5f4f7090a8723.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\@AEC9A5.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\@AEC9A5.tmp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2980
      - C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe
        
        "C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe
        
        "C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe" /i 1724
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe
        
        "C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Users\Admin\AppData\Roaming\injector_s.exe
        
        "C:\Users\Admin\AppData\Roaming\injector_s.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\a0x.bat" "C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe" "C:\Users\Admin\AppData\Local\Temp\a0x.bat""
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\46ad206fa4fd79cc79a34252b1ce148c4558d17dc132fc397ae5f4f7090a8723.exe
      "C:\Users\Admin\AppData\Local\Temp\46ad206fa4fd79cc79a34252b1ce148c4558d17dc132fc397ae5f4f7090a8723.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\46ad206fa4fd79cc79a34252b1ce148c4558d17dc132fc397ae5f4f7090a8723.exe

Filesize
28KB

MD5
e985cb92a8490d65226d9e01b4f85fba

SHA1
0a5aa6589823b2bef5467853f1b1cbb95dcf787e

SHA256
d26549ed7fb87487e981883cff79bf108c41ef28b0197d13b582798637f29cfb

SHA512
71e5a37345d3a3c64fe921ac6c8a6569fc9593082e2629be3fdd6a3a519a62e5cbb8adc5c885cc5852200386e24ac7f009cad3ab1e4c5bdbcdd7923cc0707b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0x.bat

Filesize
44B

MD5
804bb96081db73d249b1d21573d8ea59

SHA1
abf76e8d0702ce245bb7afbb513cdcc8bac6ab35

SHA256
b1e4990bf84c402594a53a2a98011b8880239e790872de1f6c7b8b9cd1005cf5

SHA512
d037dea300ffe466ab83c2a1c2c9a55693c36b546dbbcfa0a7a1ef477a3ea5c33f9831d71389466cf4c74192b417bf9ed0b7e0ad88d927f1ca997fcba254414c

Download Submit
C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe

Filesize
962KB

MD5
c3a6e8e44d42d8e7309546810265a52d

SHA1
0add4c0a5cc3349e11d62174607e1d02c7ff340c

SHA256
f3105c1666c80b38a428782a1da0a2b59558cb65ab5e2a62c4c6c4d5ff06be39

SHA512
831698308ca657702810844c520510a39893f4540ab57ede0bc052b6d00031d14a272e0eb895ebba872e839551c2efe06a5fdeac89b8bcdec8cef7116a2bac21

Download Submit
C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe

Filesize
172KB

MD5
6ff3155e619e2c601db536c88741e094

SHA1
c71bfc0a9b11db33c801035e06d31a03e2901dd0

SHA256
b4febd6c6fc42b7d86b575f6c44f0d49fbe9ec02e98d3be00cb26b3e32a3a6d1

SHA512
8a3047ff46833003464f0979702a4b4f0cf3998c3e4aa865b2f61cfd377689eae706fb9017c2ca97a2fee7f65d6c17c73ae37e86940a6aefdd06d8f0281bcebc

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
105B

MD5
902a1098f800859502aec4eac3026495

SHA1
a6b209e9aa15087670e830af5de8179b31abc897

SHA256
ff5e923c453d3d61a7989b2b0f978b0bba924a7052667311c9eed54852a20cfd

SHA512
cf7f0197c78f9c7db81068fbc702596a00c5d7c8280751641965917056c0e71265a3a89f3daf6a3600faa13034b54fbedea50ea583723abbfc286f2e7e79fe77

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
122B

MD5
b3da638c2623763f85ea426893994beb

SHA1
f65367518d7fec232c98b4024bbe109d0cc62fa0

SHA256
65f50b6dec1871d95bfde1a06e1625ad451e2b8cd2d826e300f0d534b3125c13

SHA512
f6f6bd11a2f483313e772c69f863940e2e751fbebd466cd8836c4fec573263aefd1dbe0fbe93ed07db67594e97165223c67ac43dac7a9fe9f61602c1c0b5bdc6

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
196B

MD5
3a9498e4df73758d0c4345e69170937f

SHA1
adb99d48dc960ae44bf6074dec27c741ca5671a9

SHA256
b8e23efd70e58f9a60508e42a4d98e4dd54adcde8859d5567add79ab933dc945

SHA512
b4eeac1629c5cdcc19566cf7030ad480e22381aa0cce9daeaa544dc9c36b81d2313b879b95c312665e7d15bbfe8e11860f3c7cc750a77f5bfa4c494a564c5999

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat

Filesize
107B

MD5
85eb3280f9675f88d00040cbea92277f

SHA1
2fece0a30b2153b4a9fee72fe5a637dee1967a2f

SHA256
bf1b95975082845d3d9d8948999d69d666dfe50d741a36cdf81fa180fa4c777b

SHA512
2641b1dfa67216ed86d0394dbc6dd78f6124978c23673c73e4e1da66a93f98364acafc13c3df017fab682ed3d9a2c993f3d9bb562e07b7a1b0a01576e1381298

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
202KB

MD5
684c111c78f8bf6fcb5575d400e7669c

SHA1
d587894c0beffdff00ae6d358a5463ef18bcb485

SHA256
080fb4cd0b92884c89efab9161685f3ba0666cd9dab8de6c752bfe35e4e45716

SHA512
bcf748d21be502d7346f56ffc9ef13f3394d46c679d7cf17289d007e91b4ead2ec4035b3ccd5626eb378958cbb6ac371edfde8319433db9b709694595ae53e4f

Download Submit
\Users\Admin\AppData\Local\Temp\@AEC9A5.tmp.exe

Filesize
960KB

MD5
20e25754da4c6914404b4d3f56d7699e

SHA1
e490d8a8e6c7c3b8ba4fa922572a9522f48cab54

SHA256
06e059639259603706a84865e425356541a011c13b0800b7894aeec5037336f4

SHA512
4f4429d431f9226f6485ba0b2409680f2606bf86549d23c649a598343e4caa55070148e201339b13cc94e599275290914ef10de1a93df512699616886d6df6da

Download Submit
\Users\Admin\AppData\Roaming\Admin\kb50145.exe

Filesize
76KB

MD5
8bf335774fbb62bbe1de03921dfe047a

SHA1
24fc750a20aebb52f23e84264d201f458106d95d

SHA256
048655d212b269073107e4636125ceeea262acce1d364fc512a0cc8f4783dcf7

SHA512
aed95f1c37cc99cee23d250e395a80c9c45c7c1c017ec7baef2af860711dbd5b540bf077d372e94582c9758961063f4c166a03fffce3b17e7fb468ce174b7aea

Download Submit
\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
202KB

MD5
7ff15a4f092cd4a96055ba69f903e3e9

SHA1
a3d338a38c2b92f95129814973f59446668402a8

SHA256
1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627

SHA512
4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae

Download Submit
\Users\Admin\AppData\Roaming\injector_s.exe

Filesize
188KB

MD5
1d1491e1759c1e39bf99a5df90311db3

SHA1
8bd6faed091bb00f879ef379715461130493e97f

SHA256
22c5c5bcb256c1dcaead463c92a70107ba1bac40564fe1e7d46594c6a3936778

SHA512
ac6ca48acbd288011849e55b0c66faf9ead479e39dc2deaecc7ad998e764f02a1807bb9227e03f12ce1a0b1f5c5b3072c3b86b5bae336e84d95d7a3e42cf5a1e

Download Submit
memory/1220-235-0x00000000021E0000-0x00000000021ED000-memory.dmp

Filesize
52KB

Download
memory/1276-21-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1276-237-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2028-14-0x00000000009E0000-0x00000000009F1000-memory.dmp

Filesize
68KB

Download
memory/2028-19-0x00000000009E0000-0x00000000009F1000-memory.dmp

Filesize
68KB

Download
memory/2552-23-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2588-202-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download