Analysis
-
max time kernel
93s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 21:14
Static task
static1
Behavioral task
behavioral1
Sample
EPDA MV.Sweet Lady.lll_pdf.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
EPDA MV.Sweet Lady.lll_pdf.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
3bp6xookqs5b.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
3bp6xookqs5b.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
c0qit2o.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
c0qit2o.exe
Resource
win10v2004-20241007-en
General
-
Target
EPDA MV.Sweet Lady.lll_pdf.exe
-
Size
205KB
-
MD5
a89f3213f565db4ec7d6daa25ccf5bb5
-
SHA1
8764eccfa6c1689d8cfe90a652becce02ad94692
-
SHA256
0bc4d1e45ab93d84a42b64fc2d0514440e13dc7afbed98e51e38f1d5d5229844
-
SHA512
405cc3880b2eafc91f5cf06175b21de2f4d9b534db7dcc7f42325891d1573cde6b80646e72ddcbd7366610a5cb1bc2000f3de524b667310b7fb03d42167f29dd
-
SSDEEP
6144:r9X0GfXLULFwWCnObVvM7FroK5W9JuqJ4d:F0qX45sObyloK5WXTOd
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4084 c0qit2o.exe -
Loads dropped DLL 1 IoCs
pid Process 4084 c0qit2o.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2984 4084 WerFault.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c0qit2o.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EPDA MV.Sweet Lady.lll_pdf.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4084 c0qit2o.exe 4084 c0qit2o.exe 4084 c0qit2o.exe 4084 c0qit2o.exe 4084 c0qit2o.exe 4084 c0qit2o.exe 4084 c0qit2o.exe 4084 c0qit2o.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1656 wrote to memory of 4084 1656 EPDA MV.Sweet Lady.lll_pdf.exe 81 PID 1656 wrote to memory of 4084 1656 EPDA MV.Sweet Lady.lll_pdf.exe 81 PID 1656 wrote to memory of 4084 1656 EPDA MV.Sweet Lady.lll_pdf.exe 81 PID 4084 wrote to memory of 3364 4084 c0qit2o.exe 83 PID 4084 wrote to memory of 3364 4084 c0qit2o.exe 83 PID 4084 wrote to memory of 3364 4084 c0qit2o.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\EPDA MV.Sweet Lady.lll_pdf.exe"C:\Users\Admin\AppData\Local\Temp\EPDA MV.Sweet Lady.lll_pdf.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\c0qit2o.exe"C:\Users\Admin\AppData\Local\Temp\c0qit2o.exe" "C:\Users\Admin\AppData\Local\Temp\3bp6xookqs5b.dll" "C:\Users\Admin\AppData\Local\Temp\rngdwqew.pa"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Users\Admin\AppData\Local\Temp\c0qit2o.exe"C:\Users\Admin\AppData\Local\Temp\c0qit2o.exe" "C:\Users\Admin\AppData\Local\Temp\3bp6xookqs5b.dll" "C:\Users\Admin\AppData\Local\Temp\rngdwqew.pa"3⤵PID:3364
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 5323⤵
- Program crash
PID:2984
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4084 -ip 40841⤵PID:3812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5ee224cf89c92d8b8d08cbd9dc183e6a7
SHA18ab4416951d706730fdcf9422ac39a7308bd3443
SHA256bd5ba137ea2f0162b1baaa6483f5f8d56a3327818c0c96a2b04842638625a8f3
SHA512261a568b8b3ee4a3b8fef2dd99889495ef91c05a1e593c23d36ebb495872e6623f8be20630a52126dbde8720aabd24f047b3cc654f744afe9310a4da01702005
-
Filesize
3KB
MD52632c0058c899f8a94077b5abab7cc96
SHA12b2e620c7964d27828f903ebe4cf9359390a5f06
SHA25610241509299a29e8bd8c016b7ede6703a00915f65ae5165268f58bae93cdf37e
SHA512a662a4ff0bfe8fafd3216ec98930a9805b8771d05fb803d3d9a9a99ce04e145ae60bcc4ed63574c712994e6aec90f03a1900a64e6a0021d010b0f016913d801e
-
Filesize
160KB
MD501c084425646663c72aca37f6d264116
SHA10e386be132328bd1c43d811be34c02b2a1bd80ad
SHA25680c94eec38b6643d285080dfdb4aaf80d0657c05745df2f2c87538286d64777f
SHA512acdb151145d06703516368ff46f4cd46c80280a90ac98700668c39fddfb3dbbd661721004dabdaab6902eb33788c852c9507a0dc591a1445e169f2a54e1de857