33bca0b7c35d92fe1dec4638d803349ca76a0f4b2a647efa49697edb77d2ae95

Analysis

max time kernel
135s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7zSCD97F9B7/61cf42db8e020_Fri179863c92d69.exe
Size

1.9MB
MD5

1a834bf6d259babbfb8f84a40c30cee2
SHA1

bac32a006f8451b5e5063e12dfc3a27c44dd79db
SHA256

1604a4cccddecd3d488d6ede5f4040b3cb95e5d76385cb0be30cb7f8e1a380b5
SHA512

9e4e5feafeaff5695486a226fe4b302a5b4ab484e4fb96de2bb2ffeebba8f65f782283994a6409a4d36005edbf810c94f6258c4118d7facda0273a85dc2afba1
SSDEEP

24576:YLeTtjJFtHrKCeZEnvjEgbnqpZamVkfj6eR0DNk4pbAZXY1pokix+8bdmS5:YLYkCcEbEMIZa5fMJkCQYwkirbMS5

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	2716	rundll32.exe
5	2716	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
2564	f78584d.exe

Loads dropped DLL 17 IoCs

pid	Process
3044	rundll32.exe
3044	rundll32.exe
3044	rundll32.exe
3044	rundll32.exe
2716	rundll32.exe
2716	rundll32.exe
2716	rundll32.exe
2716	rundll32.exe
2716	rundll32.exe
2716	rundll32.exe
2716	rundll32.exe
2716	rundll32.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2164	2564	WerFault.exe	36

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f78584d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61cf42db8e020_Fri179863c92d69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 1788	2368	61cf42db8e020_Fri179863c92d69.exe	30
PID 2368 wrote to memory of 1788	2368	61cf42db8e020_Fri179863c92d69.exe	30
PID 2368 wrote to memory of 1788	2368	61cf42db8e020_Fri179863c92d69.exe	30
PID 2368 wrote to memory of 1788	2368	61cf42db8e020_Fri179863c92d69.exe	30
PID 1788 wrote to memory of 3044	1788	control.exe	31
PID 1788 wrote to memory of 3044	1788	control.exe	31
PID 1788 wrote to memory of 3044	1788	control.exe	31
PID 1788 wrote to memory of 3044	1788	control.exe	31
PID 1788 wrote to memory of 3044	1788	control.exe	31
PID 1788 wrote to memory of 3044	1788	control.exe	31
PID 1788 wrote to memory of 3044	1788	control.exe	31
PID 3044 wrote to memory of 1988	3044	rundll32.exe	33
PID 3044 wrote to memory of 1988	3044	rundll32.exe	33
PID 3044 wrote to memory of 1988	3044	rundll32.exe	33
PID 3044 wrote to memory of 1988	3044	rundll32.exe	33
PID 1988 wrote to memory of 2716	1988	RunDll32.exe	34
PID 1988 wrote to memory of 2716	1988	RunDll32.exe	34
PID 1988 wrote to memory of 2716	1988	RunDll32.exe	34
PID 1988 wrote to memory of 2716	1988	RunDll32.exe	34
PID 1988 wrote to memory of 2716	1988	RunDll32.exe	34
PID 1988 wrote to memory of 2716	1988	RunDll32.exe	34
PID 1988 wrote to memory of 2716	1988	RunDll32.exe	34
PID 2716 wrote to memory of 2564	2716	rundll32.exe	36
PID 2716 wrote to memory of 2564	2716	rundll32.exe	36
PID 2716 wrote to memory of 2564	2716	rundll32.exe	36
PID 2716 wrote to memory of 2564	2716	rundll32.exe	36
PID 2564 wrote to memory of 2164	2564	f78584d.exe	37
PID 2564 wrote to memory of 2164	2564	f78584d.exe	37
PID 2564 wrote to memory of 2164	2564	f78584d.exe	37
PID 2564 wrote to memory of 2164	2564	f78584d.exe	37

C:\Users\Admin\AppData\Local\Temp\7zSCD97F9B7\61cf42db8e020_Fri179863c92d69.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCD97F9B7\61cf42db8e020_Fri179863c92d69.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\mPPZNWRH.cPL",
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\mPPZNWRH.cPL",
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\mPPZNWRH.cPL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1988
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\mPPZNWRH.cPL",
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Users\Admin\AppData\Local\Temp\f78584d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f78584d.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 532
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\f78584d.exe

Filesize
11KB

MD5
620bda3df817bff8deb38758d1dc668c

SHA1
9933523941851b42047f2b7a1324eb8daa8fb1ff

SHA256
b74d7ff45768a1ee6f267e895de3e46cca505edf205563ef3f7db827f38363b3

SHA512
bc9e932860f63090bab251057bc1fd6875c410c2358321eaa74fccc117561b91e4ce6b24d5e7bb13dc44732ae151b7c33fe201acbb5af689d7f2d248dfb8c568

Download Submit
memory/2564-73-0x0000000000100000-0x0000000000108000-memory.dmp

Filesize
32KB

Download
memory/2716-43-0x000000002DFD0000-0x000000002E061000-memory.dmp

Filesize
580KB

Download
memory/2716-47-0x0000000000180000-0x0000000000185000-memory.dmp

Filesize
20KB

Download
memory/2716-34-0x00000000024F0000-0x00000000034F0000-memory.dmp

Filesize
16.0MB

Download
memory/2716-46-0x0000000000170000-0x0000000000173000-memory.dmp

Filesize
12KB

Download
memory/2716-39-0x000000002D100000-0x000000002D19D000-memory.dmp

Filesize
628KB

Download
memory/2716-45-0x000000002DFD0000-0x000000002E061000-memory.dmp

Filesize
580KB

Download
memory/2716-40-0x000000002D1A0000-0x000000002DF26000-memory.dmp

Filesize
13.5MB

Download
memory/2716-41-0x000000002DF30000-0x000000002DFC6000-memory.dmp

Filesize
600KB

Download
memory/2716-27-0x00000000024F0000-0x00000000034F0000-memory.dmp

Filesize
16.0MB

Download
memory/2716-28-0x000000002D040000-0x000000002D0F1000-memory.dmp

Filesize
708KB

Download
memory/2716-29-0x000000002D100000-0x000000002D19D000-memory.dmp

Filesize
628KB

Download
memory/2716-32-0x000000002D100000-0x000000002D19D000-memory.dmp

Filesize
628KB

Download
memory/3044-18-0x000000002D140000-0x000000002DEC6000-memory.dmp

Filesize
13.5MB

Download
memory/3044-19-0x000000002DED0000-0x000000002DF66000-memory.dmp

Filesize
600KB

Download
memory/3044-21-0x000000002DF70000-0x000000002E001000-memory.dmp

Filesize
580KB

Download
memory/3044-20-0x000000002DF70000-0x000000002E001000-memory.dmp

Filesize
580KB

Download
memory/3044-8-0x00000000023B0000-0x00000000033B0000-memory.dmp

Filesize
16.0MB

Download
memory/3044-14-0x00000000023B0000-0x00000000033B0000-memory.dmp

Filesize
16.0MB

Download
memory/3044-17-0x0000000001FC0000-0x000000000205D000-memory.dmp

Filesize
628KB

Download
memory/3044-9-0x000000002D080000-0x000000002D131000-memory.dmp

Filesize
708KB

Download
memory/3044-13-0x0000000001FC0000-0x000000000205D000-memory.dmp

Filesize
628KB

Download
memory/3044-10-0x0000000001FC0000-0x000000000205D000-memory.dmp

Filesize
628KB

Download
memory/3044-82-0x000000002DF70000-0x000000002E001000-memory.dmp

Filesize
580KB

Download
memory/3044-83-0x0000000000050000-0x0000000000053000-memory.dmp

Filesize
12KB

Download
memory/3044-84-0x0000000000060000-0x0000000000065000-memory.dmp

Filesize
20KB

Download