fd84148426c6188c0bdec2e66d1f4fda9392342adb0c225d64aaacce24ce8653

Analysis

max time kernel
292s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file_9.exe
Size

107KB
MD5

05fa70fac7d39757fa615c459fe1ab6e
SHA1

5ab4fba43997a3df4afa36e05012440d6d0253fa
SHA256

df4b719bc0b675b6a9466e8fd57e42ff55994e22507aa82aa08fd574935c83e4
SHA512

165b74dfb464f3b16cd97cc6c70e8f792543f30cd8c895fd695205531ff96fb630aac22b3f9f2398ed2aa0544b2ab827c8e7e8a018ee1eba021fbcc36e77cd31
SSDEEP

3072:UosBt1tpuky65s9MAfzbD8pTsmT+G42Wec5:UosB7tUOAvAuHfe

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

module.exe

pid process

2944 module.exe
Executes dropped EXE 1 IoCs

Processes:

module.exe

pid process

2944 module.exe
Loads dropped DLL 2 IoCs

Processes:

file_9.exe

pid process

2932 file_9.exe
2932 file_9.exe

pid	process
2944	module.exe

pid	process
2944	module.exe

pid	process
2932	file_9.exe
2932	file_9.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

file_9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\module = "C:\\ProgramData\\Media\\module.exe"	file_9.exe

Drops file in System32 directory 8 IoCs

Processes:

module.exefile_9.exe

description	ioc	process
File created	C:\Windows\SysWOW64\sc.ini	module.exe
File opened for modification	C:\Windows\SysWOW64\sc.ini	module.exe
File created	C:\Windows\SysWOW64\sc.ini	file_9.exe
File opened for modification	C:\Windows\SysWOW64\sc.ini	file_9.exe
File created	C:\Windows\SysWOW64\delself.bat	file_9.exe
File opened for modification	C:\Windows\SysWOW64\delself.bat	file_9.exe
File created	C:\Windows\SysWOW64\delself2.bat	file_9.exe
File opened for modification	C:\Windows\SysWOW64\delself2.bat	file_9.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

file_9.exemodule.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file_9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	module.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

module.exe

pid process

2944 module.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

file_9.exemodule.exe

pid process

2932 file_9.exe
2944 module.exe

pid	process
2944	module.exe

pid	process
2932	file_9.exe
2944	module.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

file_9.exe

description	pid	process	target process
PID 2932 wrote to memory of 2944	2932	file_9.exe	module.exe
PID 2932 wrote to memory of 2944	2932	file_9.exe	module.exe
PID 2932 wrote to memory of 2944	2932	file_9.exe	module.exe
PID 2932 wrote to memory of 2944	2932	file_9.exe	module.exe

C:\Users\Admin\AppData\Local\Temp\file_9.exe
"C:\Users\Admin\AppData\Local\Temp\file_9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932
- C:\ProgramData\Media\module.exe
  C:\ProgramData\Media\module.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sc.ini

Filesize
54B

MD5
7da6d1a8fbea4859f4212878115ae892

SHA1
b8d7fec3cf1b362d82d481094e918043f999e234

SHA256
19bf8d178c2f01a489daac147781240d6344853508ea9555dd207d04c53093ac

SHA512
8e48b53fba488fa4f54374b565f4fd8e42f10fc2c0b8c8afe4755790d3445a56cbb7fcc72a509fbac81724f1e83da03b5c1cc460f1296b8645f3504a7e1cc82c

Download Submit
\ProgramData\Media\module.exe

Filesize
107KB

MD5
05fa70fac7d39757fa615c459fe1ab6e

SHA1
5ab4fba43997a3df4afa36e05012440d6d0253fa

SHA256
df4b719bc0b675b6a9466e8fd57e42ff55994e22507aa82aa08fd574935c83e4

SHA512
165b74dfb464f3b16cd97cc6c70e8f792543f30cd8c895fd695205531ff96fb630aac22b3f9f2398ed2aa0544b2ab827c8e7e8a018ee1eba021fbcc36e77cd31

Download Submit
memory/2932-0-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2932-2-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2932-20-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2944-14-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2944-21-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download