Overview

overview

10

Static

static

5

8ec22a0bb8...21.exe

windows7-x64

10

8ec22a0bb8...21.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 05:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ec22a0bb8a89a070233fd62c19bfb9d6ec6663d659da9b7577da7a3b8e23821.exe

  • Size

    1.2MB

  • MD5

    e9d3c9c75c2b063aafb5251e16328831

  • SHA1

    3e9e3eb457c189e03635edc4f5172b4d218c4be6

  • SHA256

    8ec22a0bb8a89a070233fd62c19bfb9d6ec6663d659da9b7577da7a3b8e23821

  • SHA512

    4b77bbb38ca0622c9f97f43b63c9ecea1511439320aac606de2e8efea63d2a936a4f92ca8ce06b0000aafdbc9c95aa08abbcecaed1c732fcf3d50accada3fddd

  • SSDEEP

    24576:eAHnh+eWsN3skA4RV1Hom2KXMmHa3t2smYe+n7ELue0hgU56:Jh+ZkldoPK8Ya3tjkc7Aue0N6

Score
10/10
discovery

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    185.212.130.11
  • Port:
    21
  • Username:
    user79739
  • Password:
    Repriza1337

Signatures

  • Executes dropped EXE 2 IoCs
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ec22a0bb8a89a070233fd62c19bfb9d6ec6663d659da9b7577da7a3b8e23821.exe
    "C:\Users\Admin\AppData\Local\Temp\8ec22a0bb8a89a070233fd62c19bfb9d6ec6663d659da9b7577da7a3b8e23821.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • NTFS ADS
    • Suspicious behavior: RenamesItself
    PID:728
  • C:\Users\Admin\AppData\Roaming\msil_system.workflow.activities_31bf3856ad364e35_10.0.19200.101_none_f83afad8632f8bce\mfc120deu.exe
    C:\Users\Admin\AppData\Roaming\msil_system.workflow.activities_31bf3856ad364e35_10.0.19200.101_none_f83afad8632f8bce\mfc120deu.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:4800
  • C:\Users\Admin\AppData\Roaming\msil_system.workflow.activities_31bf3856ad364e35_10.0.19200.101_none_f83afad8632f8bce\mfc120deu.exe
    C:\Users\Admin\AppData\Roaming\msil_system.workflow.activities_31bf3856ad364e35_10.0.19200.101_none_f83afad8632f8bce\mfc120deu.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    PID:4896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\msil_system.workflow.activities_31bf3856ad364e35_10.0.19200.101_none_f83afad8632f8bce\mfc120deu.exe
    Filesize

    1.2MB

    MD5

    e9d3c9c75c2b063aafb5251e16328831

    SHA1

    3e9e3eb457c189e03635edc4f5172b4d218c4be6

    SHA256

    8ec22a0bb8a89a070233fd62c19bfb9d6ec6663d659da9b7577da7a3b8e23821

    SHA512

    4b77bbb38ca0622c9f97f43b63c9ecea1511439320aac606de2e8efea63d2a936a4f92ca8ce06b0000aafdbc9c95aa08abbcecaed1c732fcf3d50accada3fddd

    Download Submit

  • memory/728-8-0x00000000008F0000-0x0000000000A25000-memory.dmp

    Filesize

    1.2MB

    Download