46dc49be65d7165e2a6009854a4f27f0088230199e61e0555cb1bd266535874a

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

foo/06ed82e88e1f68cc08602d7cd8ec5f59.exe
Size

12.2MB
MD5

06ed82e88e1f68cc08602d7cd8ec5f59
SHA1

37d4750e5f22cc395dd721dd5df73aeccc095bb5
SHA256

43eebbd84e92a99b2bbca0b578df68dc07756e2c5fe908c668ac8c69f934a7e5
SHA512

63060f8723b2ad50b8bfc225af22156215d5362bcf4a3ad77d9fe9059414b8ba69679f5fcf83159da224f165a83ebee74a306300f41205a887a06ec0bb86f895
SSDEEP

196608:2JFxZy4WBmUKUKWQNAmLiytHFjF6LNniJassnr5wc+snazcQ50OvvVpSIK28sWBj:23xU4RUKUKJdtTmuc/HpovrK28h2PA

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3068	06ed82e88e1f68cc08602d7cd8ec5f59.exe
3068	06ed82e88e1f68cc08602d7cd8ec5f59.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2976	3068	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06ed82e88e1f68cc08602d7cd8ec5f59.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3068	06ed82e88e1f68cc08602d7cd8ec5f59.exe
3068	06ed82e88e1f68cc08602d7cd8ec5f59.exe
3068	06ed82e88e1f68cc08602d7cd8ec5f59.exe
3068	06ed82e88e1f68cc08602d7cd8ec5f59.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2976	3068	06ed82e88e1f68cc08602d7cd8ec5f59.exe	30
PID 3068 wrote to memory of 2976	3068	06ed82e88e1f68cc08602d7cd8ec5f59.exe	30
PID 3068 wrote to memory of 2976	3068	06ed82e88e1f68cc08602d7cd8ec5f59.exe	30
PID 3068 wrote to memory of 2976	3068	06ed82e88e1f68cc08602d7cd8ec5f59.exe	30

C:\Users\Admin\AppData\Local\Temp\foo\06ed82e88e1f68cc08602d7cd8ec5f59.exe
"C:\Users\Admin\AppData\Local\Temp\foo\06ed82e88e1f68cc08602d7cd8ec5f59.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 1124
  2⤵
  - Program crash
  PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\KPIFFE2\TongJICNZZ.dll

Filesize
112KB

MD5
9b7d7dc19e849fd13fc600d8906b85f7

SHA1
65419e8b9fefe6d89f8b3d87445d021516381b88

SHA256
d3444b2dc03b38d2f96e2c8a33c63fe9817bf3508496a99c52da1ddeacfe50a9

SHA512
9eb3e023c9235e0a7587cadfb5562d3d1f35da5a0c5041e7a4fffb17f4fdd904f2dbf4ce43115635eba8dda2e768038e10704a7004d3f3bc00bf3ef8bc1295b5

Download Submit
\Users\Admin\AppData\Local\Temp\KPIFFE2\unrar.dll

Filesize
180KB

MD5
10ac1f41330bd672957438c037f626f8

SHA1
e9b92821c5af98e4248b19aeffee6c12a1eb2bf8

SHA256
6822f3582ee4f91139ccd2a75aadf86d4e5faac7c8dbfce90327ac3685d880cc

SHA512
ce852b1ab470ab8c46160453876f90a0bb2e490b09d8e6de741733bae97cdcfa1878818e57d1a9ec42b0f6d9ce1916e33f2965664785a46f3ed9f7728ca29bf6

Download Submit