Overview

overview

10

Static

static

1

7c7156bffa...b9.exe

windows7-x64

7

7c7156bffa...b9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-12-2024 01:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c7156bffa25093c47c8d5515b9420f3b02a3d466ba9a564d440f0cc06969ab9.exe

  • Size

    15.8MB

  • MD5

    db5818c5d7a25382f53f6f961b5d04f5

  • SHA1

    fe5f8cfd8adf3297a2dd883951ed84af9058721d

  • SHA256

    7c7156bffa25093c47c8d5515b9420f3b02a3d466ba9a564d440f0cc06969ab9

  • SHA512

    1b1e3b124dba5666b3e04942b8306836b608fc639664538b70f937b4af6f0473a7d9c9e0fc6565eabc2c24e2d139171c9c227f9c648d464b8c0c346b4f899a21

  • SSDEEP

    393216:SpNtz8jMP3N9X4VPpiFPXyK3q3kwaQNnMykEOSc:S3Z3P3N9X24Xlq3xBMz

Score
7/10
discoveryexecution

Malware Config

Signatures

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 22 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c7156bffa25093c47c8d5515b9420f3b02a3d466ba9a564d440f0cc06969ab9.exe
    "C:\Users\Admin\AppData\Local\Temp\7c7156bffa25093c47c8d5515b9420f3b02a3d466ba9a564d440f0cc06969ab9.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Users\Admin\AppData\Local\Temp\is-JTN74.tmp\7c7156bffa25093c47c8d5515b9420f3b02a3d466ba9a564d440f0cc06969ab9.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-JTN74.tmp\7c7156bffa25093c47c8d5515b9420f3b02a3d466ba9a564d440f0cc06969ab9.tmp" /SL5="$30144,16129897,161280,C:\Users\Admin\AppData\Local\Temp\7c7156bffa25093c47c8d5515b9420f3b02a3d466ba9a564d440f0cc06969ab9.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C timeout /T 3 & "C:\Users\Admin\AppData\Local\Temp\7c7156bffa25093c47c8d5515b9420f3b02a3d466ba9a564d440f0cc06969ab9.exe" /VERYSILENT /SUPPRESSMSGBOXES
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3000
        • C:\Windows\SysWOW64\timeout.exe
          timeout /T 3
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:2584
        • C:\Users\Admin\AppData\Local\Temp\7c7156bffa25093c47c8d5515b9420f3b02a3d466ba9a564d440f0cc06969ab9.exe
          "C:\Users\Admin\AppData\Local\Temp\7c7156bffa25093c47c8d5515b9420f3b02a3d466ba9a564d440f0cc06969ab9.exe" /VERYSILENT /SUPPRESSMSGBOXES
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2780
          • C:\Users\Admin\AppData\Local\Temp\is-RV6QA.tmp\7c7156bffa25093c47c8d5515b9420f3b02a3d466ba9a564d440f0cc06969ab9.tmp
            "C:\Users\Admin\AppData\Local\Temp\is-RV6QA.tmp\7c7156bffa25093c47c8d5515b9420f3b02a3d466ba9a564d440f0cc06969ab9.tmp" /SL5="$30162,16129897,161280,C:\Users\Admin\AppData\Local\Temp\7c7156bffa25093c47c8d5515b9420f3b02a3d466ba9a564d440f0cc06969ab9.exe" /VERYSILENT /SUPPRESSMSGBOXES
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:2756
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c C:\Users\Public\Documents\xIdr.exe
              6⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2608
              • C:\Users\Public\Documents\xIdr.exe
                C:\Users\Public\Documents\xIdr.exe
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2088
                • C:\Users\Admin\AppData\Local\Temp\is-KSH6D.tmp\xIdr.tmp
                  "C:\Users\Admin\AppData\Local\Temp\is-KSH6D.tmp\xIdr.tmp" /SL5="$70218,450511,141312,C:\Users\Public\Documents\xIdr.exe"
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:1276
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd.exe" /C timeout /T 3 & "C:\Users\Public\Documents\xIdr.exe" /VERYSILENT /SUPPRESSMSGBOXES
                    9⤵
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    PID:3060
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout /T 3
                      10⤵
                      • System Location Discovery: System Language Discovery
                      • Delays execution with timeout.exe
                      PID:572
                    • C:\Users\Public\Documents\xIdr.exe
                      "C:\Users\Public\Documents\xIdr.exe" /VERYSILENT /SUPPRESSMSGBOXES
                      10⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      PID:2564
                      • C:\Users\Admin\AppData\Local\Temp\is-I7K0E.tmp\xIdr.tmp
                        "C:\Users\Admin\AppData\Local\Temp\is-I7K0E.tmp\xIdr.tmp" /SL5="$401DC,450511,141312,C:\Users\Public\Documents\xIdr.exe" /VERYSILENT /SUPPRESSMSGBOXES
                        11⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of FindShellTrayWindow
                        PID:2880
                        • C:\Windows\SysWOW64\regsvr32.exe
                          "regsvr32.exe" /s /i:360 C:\Users\Admin\AppData\Roaming\Setup_Lock.dll
                          12⤵
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          PID:1784
                          • C:\Windows\system32\regsvr32.exe
                            /s /i:360 C:\Users\Admin\AppData\Roaming\Setup_Lock.dll
                            13⤵
                            • Loads dropped DLL
                            PID:2908
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c C:\Users\Public\Documents\XkcY.exe
              6⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2644
              • C:\Users\Public\Documents\XkcY.exe
                C:\Users\Public\Documents\XkcY.exe
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of WriteProcessMemory
                PID:2932
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"
                  8⤵
                  • Drops file in System32 directory
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\unins000.dat
    Filesize

    3KB

    MD5

    e303f8608e9984e5c37279dcf7908094

    SHA1

    0ed029d7cab355725e2f5701a5c40277432e82a3

    SHA256

    e28c534f4c3b7df18f6c6d03724a78b3b6639b280e9693117ee1ce3a2b476b2a

    SHA512

    2f3df64cf8ed9768c2c99e4c694e6670fffc4321acbe517195a731697f5a4f44446791c1c6481d1f6780af7ece7a30f9198ced206294f6aadcd1a9d04347b43b

    Download Submit

  • C:\Users\Admin\AppData\Local\unins000.exe
    Filesize

    1.1MB

    MD5

    2c8dc574be7d1f780d42a2a9b8360c66

    SHA1

    fbae754f9ff7ea7caa528900f186cc6e49ef1609

    SHA256

    26db8da9a1921abec961ed77d4713389901a3cfe97dd420283bb679c5b537b2d

    SHA512

    a33c66e7729dc913d5089e2569f7b7e649bf6b11895bbccc88c95666c6e18e0ce09a66ef57434f3470014166bb2c6e1f5e1de2d830722642078c8db335e34495

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Setup_Lock.dll
    Filesize

    722KB

    MD5

    8227e4c7968f31debf26e01c5b3373ea

    SHA1

    da4a3634918d45a3c076dece82534425914763ea

    SHA256

    c180b6566c67983b6b065010f2ee50a594e532777cbb509ffaebec037d6dfa18

    SHA512

    4b03e9b40b4720208359b93ef350f1dbd56b368938c9673f035f7f5e76ff622d4eafdcf6205907ef0855d27debd063e82f51f448a2b2c1a8d548b3455d539332

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-3OFQL.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-JTN74.tmp\7c7156bffa25093c47c8d5515b9420f3b02a3d466ba9a564d440f0cc06969ab9.tmp
    Filesize

    1.1MB

    MD5

    070f66d3e84cd5ecccbb772fcf8e7811

    SHA1

    bc9c66bbe77da53a8d57ad9e41fd92936e892937

    SHA256

    b61184c727ecfeed0d77a237872ba282a544e15cfc54c28f420f06a5abea55db

    SHA512

    aa0803ae82c115b28e5965b1c3387580b833330db03fe69778d1f5680948bb5369d48336ed2e016a279ddfd239a39ea17922e66a017858f128d9f4aa4a9bbdcf

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-KSH6D.tmp\xIdr.tmp
    Filesize

    1.1MB

    MD5

    8fdc58c7d4c59472615682d6dea9d190

    SHA1

    8e131fe09fd238493719b4fd92e6c833bf3596c1

    SHA256

    26a5be637ee680b1ec11d1adf2fd0972cc52078cbd200d9273f8bb826707c83b

    SHA512

    b05b9fd8ff3d627b562cbd2968466fb54adbc2fa5591ebe803300a3c5ef7887bc1761d8013b47aab0f5387265c8b7b15078a01abb75d4c3180671780181ebe24

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nst262.tmp\System.dll
    Filesize

    12KB

    MD5

    192639861e3dc2dc5c08bb8f8c7260d5

    SHA1

    58d30e460609e22fa0098bc27d928b689ef9af78

    SHA256

    23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

    SHA512

    6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nst262.tmp\nsDialogs.dll
    Filesize

    9KB

    MD5

    b7d61f3f56abf7b7ff0d4e7da3ad783d

    SHA1

    15ab5219c0e77fd9652bc62ff390b8e6846c8e3e

    SHA256

    89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912

    SHA512

    6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nst262.tmp\nsExec.dll
    Filesize

    7KB

    MD5

    11092c1d3fbb449a60695c44f9f3d183

    SHA1

    b89d614755f2e943df4d510d87a7fc1a3bcf5a33

    SHA256

    2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77

    SHA512

    c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a

    Download Submit

  • \Users\Public\Documents\XkcY.exe
    Filesize

    14.7MB

    MD5

    e039e221b48fc7c02517d127e158b89f

    SHA1

    79eed88061472ae590616556f31576ca13bfc7fb

    SHA256

    dc30e5dab15392627d30a506f6304030c581fc00716703fc31add10ff263d70b

    SHA512

    87231c025bb94771e89a639c9cb1528763f096059f8806227b8ab45a8f1ea5cd3d94fdc91cb20dd140b91a14904653517f7b6673a142a864a58a2726d14ae4b8

    Download Submit

  • \Users\Public\Documents\xIdr.exe
    Filesize

    810KB

    MD5

    293b0b9d1f227d92c2d7eec2f24ad24d

    SHA1

    65ba68759577ba15279e3934a50ca2e1fa31797f

    SHA256

    f30e5bbafa334ed502d1db1085a0033e74649b7ed1d3caaf719e4e0d80513498

    SHA512

    e08c30e52faf5cce75e3095b5dc805f083e330b71d7a03af4d6b365877aeded6ac827a53232d82e25e809b991ec7a2f17fd3d3367d747936cfcb57cb8540475f

    Download Submit

  • memory/1276-116-0x0000000000400000-0x0000000000528000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2088-47-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2088-118-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2148-0-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2148-2-0x0000000000401000-0x0000000000417000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2148-43-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2564-88-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2564-115-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2684-41-0x0000000000400000-0x000000000052D000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2684-8-0x0000000000400000-0x000000000052D000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2756-38-0x0000000000400000-0x000000000052D000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2780-15-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2780-39-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2880-114-0x0000000000400000-0x0000000000528000-memory.dmp

    Filesize

    1.2MB

    Download