c41899315b2f3dad512ed1f58746e59fdb2f9717badcf7b2c861c1248d945991

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
Size

501KB
MD5

8cef8cf2a22f58a16b12b5b0b05552ba
SHA1

cf7382c25a8bf0d904d51063ceb29fb70f630bc9
SHA256

c95fde4a188dbc361f9eff80e9ba9d082ef40f7a16809b5ef4886903f8fc8698
SHA512

86031b49267669987ee4cbe0e267d953c17032428c4ccaac318c3737c2b9a4c0203fa162f8c83a7f1616b73450118e6e5c0a474008130e1681443b3a51171591
SSDEEP

12288:clxTE2jm56ven1viU+NoAHKor2Bzqbb+0eT9aEZuo:cE2qvGHKorIaK0eMjo

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Systems = "C:\\Windows\\system32\\cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe"	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe

Drops file in System32 directory 2 IoCs

Processes:

cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
File created	C:\Windows\SysWOW64\cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe

description	pid	process	target process
PID 2416 set thread context of 1512	2416	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cf7382c25a8bf0d904d51063ceb29fb70f630bc9.execf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe

pid	process
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
1512	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe

description	pid	process	target process
PID 2416 wrote to memory of 1512	2416	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
PID 2416 wrote to memory of 1512	2416	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
PID 2416 wrote to memory of 1512	2416	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
PID 2416 wrote to memory of 1512	2416	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
PID 2416 wrote to memory of 1512	2416	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
PID 2416 wrote to memory of 1512	2416	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
PID 2416 wrote to memory of 1512	2416	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
PID 2416 wrote to memory of 1512	2416	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
PID 2416 wrote to memory of 1512	2416	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
PID 2416 wrote to memory of 1512	2416	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
PID 2416 wrote to memory of 1512	2416	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
PID 2416 wrote to memory of 1512	2416	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe	cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe

C:\Users\Admin\AppData\Local\Temp\cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
"C:\Users\Admin\AppData\Local\Temp\cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416
- \??\c:\users\admin\appdata\local\temp\cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
  "c:\users\admin\appdata\local\temp\cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1512-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1512-4-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1512-20-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1512-19-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1512-23-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1512-16-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1512-18-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1512-10-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1512-8-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1512-6-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1512-12-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1512-2-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1512-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1512-21-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2416-17-0x0000000000400000-0x000000000047FE5C-memory.dmp

Filesize
511KB

Download