a1bc0999e0a70970615710f53f353e85ff94367e832c45cfca4e8716f7c1cb5b

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1bc0999e0a70970615710f53f353e85ff94367e832c45cfca4e8716f7c1cb5b.exe
Size

481KB
MD5

d9881fa3c932f199bcb890e36ac36676
SHA1

45e3594e48c03fb40916c32ef6b0ba605dacb7f4
SHA256

a1bc0999e0a70970615710f53f353e85ff94367e832c45cfca4e8716f7c1cb5b
SHA512

1e99e2cb9b1652159db224c2d4f1111683b789bcd1234215f8c3cc63910046d72f664b9bfd93a2a84270ac7213dd1de3bd0c7da7b9ac01e22f0c42d168454450
SSDEEP

12288:luD09AUkNIGBYYv4eK13x13nZHSRVMf139F5wIB7+IwtHwBtVxbesvZDSL+DY:I09AfNIEYsunZvZ19Z0s

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2508	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1bc0999e0a70970615710f53f353e85ff94367e832c45cfca4e8716f7c1cb5b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2604	a1bc0999e0a70970615710f53f353e85ff94367e832c45cfca4e8716f7c1cb5b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2508	2604	a1bc0999e0a70970615710f53f353e85ff94367e832c45cfca4e8716f7c1cb5b.exe	32
PID 2604 wrote to memory of 2508	2604	a1bc0999e0a70970615710f53f353e85ff94367e832c45cfca4e8716f7c1cb5b.exe	32
PID 2604 wrote to memory of 2508	2604	a1bc0999e0a70970615710f53f353e85ff94367e832c45cfca4e8716f7c1cb5b.exe	32
PID 2604 wrote to memory of 2508	2604	a1bc0999e0a70970615710f53f353e85ff94367e832c45cfca4e8716f7c1cb5b.exe	32

C:\Users\Admin\AppData\Local\Temp\a1bc0999e0a70970615710f53f353e85ff94367e832c45cfca4e8716f7c1cb5b.exe
"C:\Users\Admin\AppData\Local\Temp\a1bc0999e0a70970615710f53f353e85ff94367e832c45cfca4e8716f7c1cb5b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ntdnnrfn.vbs"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\registro\registros.dat

Filesize
184B

MD5
143044ba97cd20bab2f7cf722e8eb7f1

SHA1
52bd88d2305d1ea89d6d81c5c5c4399ae6df4c43

SHA256
e17000ed6aeb23e471cbf3edf57717a73f62ec4a91cf44d05f45f60b037a4be7

SHA512
e11326657b337dd09855dcd22e354e536f8edcda358e430c7a32daf0bbe7c0f19a362b032e45f0d87742889c3be484c0f609f9e01c64439d59f5b4a79e0c300c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntdnnrfn.vbs

Filesize
728B

MD5
8cdd01aac2fd1c6f575330776cfe246a

SHA1
7d1c3721dbef4a66a71fe8372d24c9f90ee1101a

SHA256
c684ffb20cbb4d5ef7d280318e827857e573741af2bc2f0c1f784e79a2e9d56f

SHA512
d3c36c078360b871ec1ee49c506124fcb5cb2a9cc3673eae78d367b848ad34fcbb38bab784523e095097c91a43c94eec282a8b7710b91a2e9ae19a0bf168bd28

Download Submit