98c70efff4675dd2ef3f9a90afb155c4fdbee2aa1f0f2e1641f9c0b8f432407a

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

T.T_Copy.12.18.2024.exe
Size

1.2MB
MD5

4542c9e57e9d955244262c035aaffe94
SHA1

3dfade02ec7892ebdfa977c25354a352e0c55f56
SHA256

98c70efff4675dd2ef3f9a90afb155c4fdbee2aa1f0f2e1641f9c0b8f432407a
SHA512

ac1a22980f414a1b81700c88cd298ad039fd66e563067d14f5a8ea979e0cb2004d63b1246d1a0378ec883d9c3432789b2e3bcff963358e81010c55ee562e2ad9
SSDEEP

24576:INA3R5drXPU/S9abXnZZKBlxr89Wvz4csbmDEbOBVXLzR6t2oE+Lyjx:h52LGBlxRJsiDV7V60onud

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2740	dfbzdfb.sfx.exe
2636	dfbzdfb.exe
1232	zdfhrgzd.sfx.exe
2712	zdfhrgzd.exe
1628	zdfhrgzd.exe
996	zdfhrgzd.exe

Loads dropped DLL 9 IoCs

pid	Process
2824	cmd.exe
2740	dfbzdfb.sfx.exe
2740	dfbzdfb.sfx.exe
2740	dfbzdfb.sfx.exe
2880	cmd.exe
1232	zdfhrgzd.sfx.exe
1232	zdfhrgzd.sfx.exe
1232	zdfhrgzd.sfx.exe
1232	zdfhrgzd.sfx.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2712 set thread context of 1628	2712	zdfhrgzd.exe	39
PID 2712 set thread context of 996	2712	zdfhrgzd.exe	40

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfbzdfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zdfhrgzd.sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zdfhrgzd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	T.T_Copy.12.18.2024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfbzdfb.sfx.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1388	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	zdfhrgzd.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1388	AcroRd32.exe
1388	AcroRd32.exe
1388	AcroRd32.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2824	1984	T.T_Copy.12.18.2024.exe	30
PID 1984 wrote to memory of 2824	1984	T.T_Copy.12.18.2024.exe	30
PID 1984 wrote to memory of 2824	1984	T.T_Copy.12.18.2024.exe	30
PID 1984 wrote to memory of 2824	1984	T.T_Copy.12.18.2024.exe	30
PID 2824 wrote to memory of 2740	2824	cmd.exe	32
PID 2824 wrote to memory of 2740	2824	cmd.exe	32
PID 2824 wrote to memory of 2740	2824	cmd.exe	32
PID 2824 wrote to memory of 2740	2824	cmd.exe	32
PID 2740 wrote to memory of 2636	2740	dfbzdfb.sfx.exe	33
PID 2740 wrote to memory of 2636	2740	dfbzdfb.sfx.exe	33
PID 2740 wrote to memory of 2636	2740	dfbzdfb.sfx.exe	33
PID 2740 wrote to memory of 2636	2740	dfbzdfb.sfx.exe	33
PID 2636 wrote to memory of 2880	2636	dfbzdfb.exe	34
PID 2636 wrote to memory of 2880	2636	dfbzdfb.exe	34
PID 2636 wrote to memory of 2880	2636	dfbzdfb.exe	34
PID 2636 wrote to memory of 2880	2636	dfbzdfb.exe	34
PID 2636 wrote to memory of 1388	2636	dfbzdfb.exe	36
PID 2636 wrote to memory of 1388	2636	dfbzdfb.exe	36
PID 2636 wrote to memory of 1388	2636	dfbzdfb.exe	36
PID 2636 wrote to memory of 1388	2636	dfbzdfb.exe	36
PID 2880 wrote to memory of 1232	2880	cmd.exe	37
PID 2880 wrote to memory of 1232	2880	cmd.exe	37
PID 2880 wrote to memory of 1232	2880	cmd.exe	37
PID 2880 wrote to memory of 1232	2880	cmd.exe	37
PID 1232 wrote to memory of 2712	1232	zdfhrgzd.sfx.exe	38
PID 1232 wrote to memory of 2712	1232	zdfhrgzd.sfx.exe	38
PID 1232 wrote to memory of 2712	1232	zdfhrgzd.sfx.exe	38
PID 1232 wrote to memory of 2712	1232	zdfhrgzd.sfx.exe	38
PID 2712 wrote to memory of 1628	2712	zdfhrgzd.exe	39
PID 2712 wrote to memory of 1628	2712	zdfhrgzd.exe	39
PID 2712 wrote to memory of 1628	2712	zdfhrgzd.exe	39
PID 2712 wrote to memory of 1628	2712	zdfhrgzd.exe	39
PID 2712 wrote to memory of 1628	2712	zdfhrgzd.exe	39
PID 2712 wrote to memory of 1628	2712	zdfhrgzd.exe	39
PID 2712 wrote to memory of 1628	2712	zdfhrgzd.exe	39
PID 2712 wrote to memory of 1628	2712	zdfhrgzd.exe	39
PID 2712 wrote to memory of 1628	2712	zdfhrgzd.exe	39
PID 2712 wrote to memory of 996	2712	zdfhrgzd.exe	40
PID 2712 wrote to memory of 996	2712	zdfhrgzd.exe	40
PID 2712 wrote to memory of 996	2712	zdfhrgzd.exe	40
PID 2712 wrote to memory of 996	2712	zdfhrgzd.exe	40
PID 2712 wrote to memory of 996	2712	zdfhrgzd.exe	40
PID 2712 wrote to memory of 996	2712	zdfhrgzd.exe	40
PID 2712 wrote to memory of 996	2712	zdfhrgzd.exe	40
PID 2712 wrote to memory of 996	2712	zdfhrgzd.exe	40
PID 2712 wrote to memory of 996	2712	zdfhrgzd.exe	40

C:\Users\Admin\AppData\Local\Temp\T.T_Copy.12.18.2024.exe
"C:\Users\Admin\AppData\Local\Temp\T.T_Copy.12.18.2024.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\oxfhxtr.cmd" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\dfbzdfb.sfx.exe
    dfbzdfb.sfx.exe -dC:\Users\Admin\AppData\Local\Temp -pepouidalfszfugyRhvqxsdfHbgnmeUtyadfhmxvfofnglfyjfodyehal
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\dfbzdfb.exe
      "C:\Users\Admin\AppData\Local\Temp\dfbzdfb.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\zdsthsxu.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2880
      - C:\Users\Admin\AppData\Roaming\zdfhrgzd.sfx.exe
        
        zdfhrgzd.sfx.exe -dC:\Users\Admin\AppData\Roaming -pesgujhbotoqxqegtpsadelifsujhmwxgthutjkdewsqwngjMiczafugybsbBbsdhdqbqeku
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe
        
        "C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe
        
        C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe
        8⤵
        Executes dropped EXE
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe
        
        C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe
        8⤵
        Executes dropped EXE
        
        PID:996
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\mts103wift.pdf"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dfbzdfb.exe

Filesize
778KB

MD5
06eb0777fca570612c196d90f0499213

SHA1
047a0a9434594cf652559d0813c5f5c93b58240f

SHA256
4802023516756de90b9bf7cf9987eb139bde5a6fa74197096261781584927caf

SHA512
43ae3398acdb406102b0f8178fb4eccbe48938601657da626bb89db5a4406c76a2269bd48121b0983e4e0c3e7aa9ca6d87621e7a508a16ace10781e4e2bee155

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfbzdfb.sfx.exe

Filesize
923KB

MD5
3181c79bfcb07a0b43a020f22641f2b2

SHA1
a68ad92a42a1ccd8fd48737050a3e5fd459ccd08

SHA256
b932bc36f90d2fba9841cdb8bcaff7a0b7ccfecfe41f1d13ac5bfb6dbd241a04

SHA512
3ef8c85f12815523dabb865e32ea493f57d5e227aaabcccf96ca1c54eaf09e5bb81fafd18daa9d54121cf7ee20f6f5604e7ecf623c42f3c48df27e60cebe4bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxfhxtr.cmd

Filesize
18KB

MD5
dabe7144df4dfbd438fc298b12fe4c36

SHA1
317542f096111dade642f3037cc315f156502b6c

SHA256
341d002e13527d35797fb578b00f936c0dc7160c42bab945d0c8a26ee769f0d3

SHA512
f402f5ad42034a9fe8cf846ceb7c0b254b73408d3fb3b54358d37a2591b0ab1be5f236856518e74370ef623eac08f36636253334724b3fa34282f18109c6ac1a

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
d53f34c80f952a28692975730196133d

SHA1
a3174ae9472666806ef48b57e1a8fd534308b4bd

SHA256
41454b4ed2707e2607958a96f51a02607df530f1466bd96b26659a1e1adc2c3f

SHA512
64d0bc9f27a3edf9a4224349bfff0633e87e4b913df8f9d7010b5abf098137d52be22ccb18908911a00e80e9f3334010abf76c6ef322f301adf20f22d5ecf214

Download Submit
C:\Users\Admin\AppData\Roaming\mts103wift.pdf

Filesize
43KB

MD5
f10334c1dc5e4aec8fffd10387397af2

SHA1
a520e2e581be33181af241dab80799813bda5785

SHA256
307dd5cbcabfcbfd86b65b45f70fb5fc349b861593b74f36ff6416dd5aa44d1e

SHA512
2da918d25e6c50ac2423951b161b9c84833e1d06a978043c7a2ca88952ee625e4a0d3886135d112c846159c80e4ab59862ed95e14d8de9dd3930c6232bd6aecc

Download Submit
C:\Users\Admin\AppData\Roaming\zdsthsxu.bat

Filesize
16KB

MD5
8fc1f8bb8306146a314528098c110ee3

SHA1
2330121e717650009b311a2605c68d62e39ca1e2

SHA256
ae520ec2cf0a324d9b23b14a9c8c6cc28348f8edd17d7b515d5ee07fea0237f9

SHA512
8f233fff9b11738e10dfffd87d1de5905b4c7f4ddf04f8ae5e28d1d6f6265be6898ef31a7ef94f42a38974d4add496dfeb8e0920597140fe0886f5e95fdb6e13

Download Submit
\Users\Admin\AppData\Roaming\zdfhrgzd.exe

Filesize
503KB

MD5
ec0967a3e53d490e8e1ce811ce53d003

SHA1
8330c2aad5c238a5bdfd07a63349f071d9117e41

SHA256
af31317870dc15d70a14de5a05ad945b4b0920738c0c00e9b3d0c06d2b808275

SHA512
2d663cab58b3adb893514cec91862f7819390f79e3c83e2a194c0ac7a28fd72efcfe6afe81aad88734180119550128888e918ac5e0290d460f06771fde909a51

Download Submit
\Users\Admin\AppData\Roaming\zdfhrgzd.sfx.exe

Filesize
609KB

MD5
f59872e2fcc71ef9eb742e3792c37a76

SHA1
8d1fc98643fae35a3f81a18e20fbfa708f04eca4

SHA256
f483a26d822aa187a37651ceb7ac83cb87ae827501add4cb43001a6b84538380

SHA512
156c64dcadc098902c0bb238a5f969aec9110ec1f83f6677204e49172461ab1f1fbd57e3b5b19b2f53ed4fd3c9e7568d7dd15dbb961b6c6f5f62b6b16d47eae2

Download Submit
memory/2712-75-0x00000000000E0000-0x0000000000164000-memory.dmp

Filesize
528KB

Download