c91598f31099d5157ef641d2cfce647ad6e7de1b766e537c38df4258553da7c5

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c91598f31099d5157ef641d2cfce647ad6e7de1b766e537c38df4258553da7c5.exe
Size

3.2MB
MD5

29bccbe4c0d5dbc86a266b404c95f80f
SHA1

5f130401f13c28ff12ebfaac103b92a1f6c78579
SHA256

c91598f31099d5157ef641d2cfce647ad6e7de1b766e537c38df4258553da7c5
SHA512

03abc01d6bbb78c88200f4fc8c341d18792bd374b760d089849e8dd2072d1b745c84b300f591b60266d04edbc3be884f66379d3a75d53309f10caa048dfa72f2
SSDEEP

98304:cpQoJl7ckc2LNvvAGxEW1v9S4+RMJ9aOZF9LOldZbc:cpRJl7O228EW1QycldZbc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1676	xqbg.exe

Loads dropped DLL 3 IoCs

pid	Process
1968	c91598f31099d5157ef641d2cfce647ad6e7de1b766e537c38df4258553da7c5.exe
1676	xqbg.exe
1676	xqbg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c91598f31099d5157ef641d2cfce647ad6e7de1b766e537c38df4258553da7c5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xqbg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1676	1968	c91598f31099d5157ef641d2cfce647ad6e7de1b766e537c38df4258553da7c5.exe	31
PID 1968 wrote to memory of 1676	1968	c91598f31099d5157ef641d2cfce647ad6e7de1b766e537c38df4258553da7c5.exe	31
PID 1968 wrote to memory of 1676	1968	c91598f31099d5157ef641d2cfce647ad6e7de1b766e537c38df4258553da7c5.exe	31
PID 1968 wrote to memory of 1676	1968	c91598f31099d5157ef641d2cfce647ad6e7de1b766e537c38df4258553da7c5.exe	31

C:\Users\Admin\AppData\Local\Temp\c91598f31099d5157ef641d2cfce647ad6e7de1b766e537c38df4258553da7c5.exe
"C:\Users\Admin\AppData\Local\Temp\c91598f31099d5157ef641d2cfce647ad6e7de1b766e537c38df4258553da7c5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Public\Downloads\program\xqbg.exe
  "C:\Users\Public\Downloads\program\xqbg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Downloads\program\libcurl.dll

Filesize
2.0MB

MD5
c4a02d48a5933ff30a579f5115ebc2dc

SHA1
66ac05c908307796abf80e3054f309d1da78f7cc

SHA256
71b56dee31c858efa6ae37f6fc491b79ecb9841485cb3bfdd0695b9672f5224c

SHA512
999f4cf966b65196ceaedabcaacb1eda4c485345c41ea0b3ea904f6b98d31de0688df54d1539619c0e9143f8153f0b782470659ec1bb0e339b7562c24c8e719c

Download Submit
C:\Users\Public\Downloads\program\ycomuiu.dll

Filesize
2.8MB

MD5
ca3b2eccdeedcf42bae93407743c0f37

SHA1
033983e8e14c7b8f75e5032988737f30e78bd958

SHA256
773464ce08bb928f76c3077815881334ac38b8289309bf15a1042491b960a16a

SHA512
5d3142cd617f592b9347555011839e36b389823e15acc2af2ed265c856c9383fb7b051101b88360a9fec531a0550fa5ef1b7d74ed3ea2c0fdb7950f6c106d429

Download Submit
\Users\Public\Downloads\program\xqbg.exe

Filesize
3.0MB

MD5
00e8f650a308193ec0bc9b8844890ec4

SHA1
eedf6392ae5dbb159c5e527b9b5a7a0b13a52f1a

SHA256
4b2bc7e72401881cc9e6f1576fbf94f409cca025e26572aff7248a30453c67ee

SHA512
56c0c7788bdd17b48b24e39c6fa2817cda2f504d1d5b97afa52791793961fa1e20a17ee518a8df4f803ca9fa95c4c60de31b39aac027487c9fa3fd1518dc6af1

Download Submit