b20fbaf6e01ac6b5cf8737f4b27047319a569d2102c271e672dff9879e568998

Resubmissions

07-12-2024 18:54

241207-xkj9katmbr 10

07-12-2024 18:53

241207-xjpsnatmam 10

Analysis

max time kernel
0s
max time network
0s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FATALITY/loader.exe
Size

3.2MB
MD5

2307ca04c2633d28345fb0580c77c2ec
SHA1

edbd1f092ed03cb2674877aba6e874722ee07814
SHA256

168637ea64d64afefd1f88b91ffecb74715ccb6a98acf73d4a16175511628276
SHA512

c2646c5bf3dcd6ef4679af80ae6424c1f88e3f29a40beff729b59bebd8fd3d9b0d45392d2e11f4e1b69ada0f4ec20cfc45430d184cdf0238f2845b7deaff7e9b
SSDEEP

98304:ups+iZyomWShz+6WumEq5GGxLnIlP2NgQKGfxx:ndZOhNWumEqxLIB21K6H

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2756	loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2756	loader.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2756	loader.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2744	2756	loader.exe	30
PID 2756 wrote to memory of 2744	2756	loader.exe	30
PID 2756 wrote to memory of 2744	2756	loader.exe	30
PID 2756 wrote to memory of 2744	2756	loader.exe	30

C:\Users\Admin\AppData\Local\Temp\FATALITY\loader.exe
"C:\Users\Admin\AppData\Local\Temp\FATALITY\loader.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ServerWinRuntimeBroker\OAKCwEsKnudXsAgphVRYMDBaoP2ZIjCO6J5QYyd0q81GMNjCqOkwlC1.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ServerWinRuntimeBroker\OAKCwEsKnudXsAgphVRYMDBaoP2ZIjCO6J5QYyd0q81GMNjCqOkwlC1.vbe

Filesize
223B

MD5
3569aec6289503482c7877ad3f205301

SHA1
cf016699d614c9f2e9a899c646cd24aca6b75fcf

SHA256
a2bb38c2d2eafac2d73af9247252de8cfac9a4f9522b4f66ad73d9a003fc7754

SHA512
d8df28cd229e31eb97a705d02aac38f836b5b05741bdb7c97f4a8d9d3eec183a3883e39b30c2141e9c8b650c98edfb51a8cb7fce1c87d67b15bd9dc52a1b1ef5

Download Submit
memory/2756-0-0x0000000000220000-0x0000000000615000-memory.dmp

Filesize
4.0MB

Download
memory/2756-10-0x0000000000220000-0x0000000000615000-memory.dmp

Filesize
4.0MB

Download