6cf77b0db1abd05162956aff8434cc35ed3dbd65d89ca3d8e2785a1eaaf40cfc

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tg-x64.exe
Size

45.2MB
MD5

65c23b196d8c066197b3d6e9fc3282a2
SHA1

7a2412047c4c9d9bd3648600240482122173cb44
SHA256

c84ddc7daab32f1835872b0afe99f3691d7ced32cbd253af31ea8a2f121afc15
SHA512

1c98f3ee1262af666c22411c18e08b0175887468bf1c186e19fa5ddd845083f36006ded99e11878f303910547bee3324dcc730628cd1b3214d382c37042831f2
SSDEEP

786432:pOq/jN3x1O1e7yR4mUsc4dtCO6eZST5u3TzmFIlgkAAXSo8K2ZdTq87JEE+cL1QE:L/ZB17y+tVq6eAc3T6FpkAjozKdTDlxR

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2816	ShellExperienceHosts.exe

Loads dropped DLL 2 IoCs

pid	Process
2748	cmd.exe
2816	ShellExperienceHosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tg-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ShellExperienceHosts.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2748	2536	tg-x64.exe	30
PID 2536 wrote to memory of 2748	2536	tg-x64.exe	30
PID 2536 wrote to memory of 2748	2536	tg-x64.exe	30
PID 2536 wrote to memory of 2748	2536	tg-x64.exe	30
PID 2748 wrote to memory of 2816	2748	cmd.exe	32
PID 2748 wrote to memory of 2816	2748	cmd.exe	32
PID 2748 wrote to memory of 2816	2748	cmd.exe	32
PID 2748 wrote to memory of 2816	2748	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\tg-x64.exe
"C:\Users\Admin\AppData\Local\Temp\tg-x64.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Downloads\program\ShellExperienceHosts.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Public\Downloads\program\ShellExperienceHosts.exe
    C:\Users\Public\Downloads\program\ShellExperienceHosts.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Downloads\program\ShellExperienceHosts.exe

Filesize
634KB

MD5
0922b22053a6d5d9516ea910d34a4771

SHA1
784d3ed35d040091ae209792e2fa8fc97ee6a071

SHA256
41f413debfe785b95d852a396aefe1c814f3c13bdedf85526f2dc4e83127d6ca

SHA512
909ec8b2c1045cc11c03c6b82b7ed6ad96bc8e93f9c98cb8a668572c84cbbce778c12365b2b2eb547218783a830be41458e0ae21939e99339f54921d98d944d8

Download Submit
C:\Users\Public\Downloads\program\yyzyBase.dll

Filesize
2.8MB

MD5
bbc7f7facc3667af1b57d80fd6d12839

SHA1
6cac9da94670f0a04ed7a4539c8fc2e71bd93563

SHA256
c8e901576c91d2ce6821b4f807e3ace7f28a81e5491c7779b89171e8187b76c6

SHA512
928f7ef931d4b6f12717c42031c3b82e2594a38909de5d2d1e9cd0f5314959aef6bb123941a0c37ccb04799c3eff6fed0e0bacec1f2d0a69f5df34cc1c85fbd5

Download Submit
memory/2748-10-0x0000000001CF0000-0x0000000001D92000-memory.dmp

Filesize
648KB

Download
memory/2748-16-0x0000000001CF0000-0x0000000001D92000-memory.dmp

Filesize
648KB

Download
memory/2816-13-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2816-15-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download