abff8ad79e497aeb5787012b0b0b718324e98bff7e703071c9fe75d6e534b6d6

Resubmissions

27-11-2024 13:27

241127-qqdkmsvnhz 10

27-11-2024 09:28

241127-lfrx3atrgr 10

Analysis

max time kernel
148s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f7713dcf8ad6717ea6eb432774a29317649a512445221dc0a29ed79e48b7663.exe
Size

5.7MB
MD5

ef8e29925a165755db235f31092eb5e6
SHA1

3bae3a4c18c7d8baf0fca9b0a5e58b7785f33123
SHA256

4f7713dcf8ad6717ea6eb432774a29317649a512445221dc0a29ed79e48b7663
SHA512

5ae5e1fa3bc54431dad5cfb16ea14ac7ac203265197af9ad181d0362dee248cd2e9de18da71a5712e97522c2eb3fa5c24629ebd418b2aadcc32c694237bc2200
SSDEEP

98304:yVWEpMFhfhIp8WIs6d0xCNj3DeoWhoWEEN2F5qh27OkgnQxdT6/dsjNUoWUP9O:zB1IdIs6dNN2oIoWEn/qhNk0H/dsaI9

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
596	sihost.exe

Loads dropped DLL 1 IoCs

pid	Process
1032	4f7713dcf8ad6717ea6eb432774a29317649a512445221dc0a29ed79e48b7663.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	iplogger.org
5	iplogger.org

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

pid	Process
1032	4f7713dcf8ad6717ea6eb432774a29317649a512445221dc0a29ed79e48b7663.exe
1032	4f7713dcf8ad6717ea6eb432774a29317649a512445221dc0a29ed79e48b7663.exe
596	sihost.exe
596	sihost.exe
596	sihost.exe
596	sihost.exe
596	sihost.exe
596	sihost.exe
596	sihost.exe
596	sihost.exe
596	sihost.exe
596	sihost.exe
596	sihost.exe
596	sihost.exe
596	sihost.exe
596	sihost.exe
596	sihost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f7713dcf8ad6717ea6eb432774a29317649a512445221dc0a29ed79e48b7663.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sihost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2932	schtasks.exe
2220	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1032	4f7713dcf8ad6717ea6eb432774a29317649a512445221dc0a29ed79e48b7663.exe
596	sihost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1032	4f7713dcf8ad6717ea6eb432774a29317649a512445221dc0a29ed79e48b7663.exe
596	sihost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 2932	1032	4f7713dcf8ad6717ea6eb432774a29317649a512445221dc0a29ed79e48b7663.exe	31
PID 1032 wrote to memory of 2932	1032	4f7713dcf8ad6717ea6eb432774a29317649a512445221dc0a29ed79e48b7663.exe	31
PID 1032 wrote to memory of 2932	1032	4f7713dcf8ad6717ea6eb432774a29317649a512445221dc0a29ed79e48b7663.exe	31
PID 1032 wrote to memory of 2932	1032	4f7713dcf8ad6717ea6eb432774a29317649a512445221dc0a29ed79e48b7663.exe	31
PID 1032 wrote to memory of 596	1032	4f7713dcf8ad6717ea6eb432774a29317649a512445221dc0a29ed79e48b7663.exe	34
PID 1032 wrote to memory of 596	1032	4f7713dcf8ad6717ea6eb432774a29317649a512445221dc0a29ed79e48b7663.exe	34
PID 1032 wrote to memory of 596	1032	4f7713dcf8ad6717ea6eb432774a29317649a512445221dc0a29ed79e48b7663.exe	34
PID 1032 wrote to memory of 596	1032	4f7713dcf8ad6717ea6eb432774a29317649a512445221dc0a29ed79e48b7663.exe	34
PID 596 wrote to memory of 2220	596	sihost.exe	35
PID 596 wrote to memory of 2220	596	sihost.exe	35
PID 596 wrote to memory of 2220	596	sihost.exe	35
PID 596 wrote to memory of 2220	596	sihost.exe	35

C:\Users\Admin\AppData\Local\Temp\4f7713dcf8ad6717ea6eb432774a29317649a512445221dc0a29ed79e48b7663.exe
"C:\Users\Admin\AppData\Local\Temp\4f7713dcf8ad6717ea6eb432774a29317649a512445221dc0a29ed79e48b7663.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 5 /TN "Shell Infrastructure Host" /TR "C:\Users\Admin\AppData\Roaming\WinRAR\sihost.exe" /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2932
- C:\Users\Admin\AppData\Roaming\WinRAR\sihost.exe
  t C:\Users\Admin\AppData\Local\Temp\4f7713dcf8ad6717ea6eb432774a29317649a512445221dc0a29ed79e48b7663.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 5 /TN "Shell Infrastructure Host" /TR "C:\Users\Admin\AppData\Roaming\WinRAR\sihost.exe" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\WinRAR\sihost.exe

Filesize
5.7MB

MD5
ef8e29925a165755db235f31092eb5e6

SHA1
3bae3a4c18c7d8baf0fca9b0a5e58b7785f33123

SHA256
4f7713dcf8ad6717ea6eb432774a29317649a512445221dc0a29ed79e48b7663

SHA512
5ae5e1fa3bc54431dad5cfb16ea14ac7ac203265197af9ad181d0362dee248cd2e9de18da71a5712e97522c2eb3fa5c24629ebd418b2aadcc32c694237bc2200

Download Submit
memory/596-35-0x0000000000BD0000-0x0000000002567000-memory.dmp

Filesize
25.6MB

Download
memory/596-43-0x0000000000BD0000-0x0000000002567000-memory.dmp

Filesize
25.6MB

Download
memory/596-34-0x0000000000BD0000-0x0000000002567000-memory.dmp

Filesize
25.6MB

Download
memory/596-44-0x0000000000BD0000-0x0000000002567000-memory.dmp

Filesize
25.6MB

Download
memory/596-30-0x0000000000BD0000-0x0000000002567000-memory.dmp

Filesize
25.6MB

Download
memory/596-31-0x0000000000BD0000-0x0000000002567000-memory.dmp

Filesize
25.6MB

Download
memory/596-32-0x0000000000BD0000-0x0000000002567000-memory.dmp

Filesize
25.6MB

Download
memory/596-36-0x0000000000BD0000-0x0000000002567000-memory.dmp

Filesize
25.6MB

Download
memory/596-45-0x0000000000BD0000-0x0000000002567000-memory.dmp

Filesize
25.6MB

Download
memory/596-42-0x0000000000BD0000-0x0000000002567000-memory.dmp

Filesize
25.6MB

Download
memory/596-33-0x0000000000BD0000-0x0000000002567000-memory.dmp

Filesize
25.6MB

Download
memory/596-37-0x0000000000BD0000-0x0000000002567000-memory.dmp

Filesize
25.6MB

Download
memory/596-38-0x0000000000BD0000-0x0000000002567000-memory.dmp

Filesize
25.6MB

Download
memory/596-39-0x0000000000BD0000-0x0000000002567000-memory.dmp

Filesize
25.6MB

Download
memory/596-40-0x0000000000BD0000-0x0000000002567000-memory.dmp

Filesize
25.6MB

Download
memory/596-41-0x0000000000BD0000-0x0000000002567000-memory.dmp

Filesize
25.6MB

Download
memory/1032-1-0x00000000009D0000-0x0000000002367000-memory.dmp

Filesize
25.6MB

Download
memory/1032-0-0x00000000009D0000-0x0000000002367000-memory.dmp

Filesize
25.6MB

Download
memory/1032-27-0x00000000009D0000-0x0000000002367000-memory.dmp

Filesize
25.6MB

Download
memory/1032-28-0x0000000007710000-0x00000000090A7000-memory.dmp

Filesize
25.6MB

Download