62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/03/2025, 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.exe
Size

949KB
MD5

5f41899fe8f7801b20885898e0f4c05a
SHA1

b696ed30844f88392897eb9c0d47cfabcf9ad5f3
SHA256

62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed
SHA512

c9490f3359df8be70a21e88cc940c3486391fbc089cb026d5570cc235133f63dd6e8dfc6cce8db9dd11cb64d2a5be6d0329abb15713f5bfb37d9c362f9e3220a
SSDEEP

24576:vnvJUgT/3hRWpul04R3qO/hCwZWHGIEIPURoWuVT:vvygTffWMlH6otkGI9sLuF

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2512	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp
2680	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp

Loads dropped DLL 9 IoCs

pid	Process
2328	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.exe
2512	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp
2512	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp
2512	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp
2060	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.exe
2680	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp
2680	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp
2680	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp
1148	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2680	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp
2680	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2680	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2512	2328	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.exe	31
PID 2328 wrote to memory of 2512	2328	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.exe	31
PID 2328 wrote to memory of 2512	2328	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.exe	31
PID 2328 wrote to memory of 2512	2328	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.exe	31
PID 2328 wrote to memory of 2512	2328	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.exe	31
PID 2328 wrote to memory of 2512	2328	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.exe	31
PID 2328 wrote to memory of 2512	2328	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.exe	31
PID 2512 wrote to memory of 2060	2512	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp	32
PID 2512 wrote to memory of 2060	2512	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp	32
PID 2512 wrote to memory of 2060	2512	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp	32
PID 2512 wrote to memory of 2060	2512	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp	32
PID 2512 wrote to memory of 2060	2512	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp	32
PID 2512 wrote to memory of 2060	2512	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp	32
PID 2512 wrote to memory of 2060	2512	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp	32
PID 2060 wrote to memory of 2680	2060	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.exe	33
PID 2060 wrote to memory of 2680	2060	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.exe	33
PID 2060 wrote to memory of 2680	2060	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.exe	33
PID 2060 wrote to memory of 2680	2060	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.exe	33
PID 2060 wrote to memory of 2680	2060	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.exe	33
PID 2060 wrote to memory of 2680	2060	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.exe	33
PID 2060 wrote to memory of 2680	2060	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.exe	33
PID 2680 wrote to memory of 1148	2680	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp	34
PID 2680 wrote to memory of 1148	2680	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp	34
PID 2680 wrote to memory of 1148	2680	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp	34
PID 2680 wrote to memory of 1148	2680	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp	34
PID 2680 wrote to memory of 1148	2680	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp	34
PID 2680 wrote to memory of 1148	2680	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp	34
PID 2680 wrote to memory of 1148	2680	62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp	34

C:\Users\Admin\AppData\Local\Temp\62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.exe
"C:\Users\Admin\AppData\Local\Temp\62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\is-3GJVO.tmp\62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3GJVO.tmp\62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp" /SL5="$400F0,721126,73216,C:\Users\Admin\AppData\Local\Temp\62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Users\Admin\AppData\Local\Temp\62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.exe
    "C:\Users\Admin\AppData\Local\Temp\62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.exe" /VERYSILENT
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Users\Admin\AppData\Local\Temp\is-MGQCH.tmp\62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-MGQCH.tmp\62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp" /SL5="$500F0,721126,73216,C:\Users\Admin\AppData\Local\Temp\62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\netapi32_2.ocx"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\netapi32_2.ocx

Filesize
1.4MB

MD5
c87013ae4715ff280d9f8d2fe749cdba

SHA1
5e7e78ca3d2f799cb9befb0a2f13a1d5636a04af

SHA256
fef9803aa84de828968ffcaebab6050c109147d96420a753b9a6b5d1968ed4bf

SHA512
af9292f763dcd829d3d3d5aa1cd38bae54c2ceb92572f231ede1793e303173f3ba7eef17fe167a0fdc7dd25a9869bd18da4d9e3cb5c75573f1edb6ff1f2e5aaf

Download Submit
\Users\Admin\AppData\Local\Temp\is-3GJVO.tmp\62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed.tmp

Filesize
711KB

MD5
9917f679a0135245a5cc6b1aadcb3a6c

SHA1
7aab67a56fd3e10fd070e29d2998af2162c0a204

SHA256
a0090b3a687e7d0a6d6b6918bcbb798ebecb184cba8d3eb5fe4345ec9aba9243

SHA512
87194d9f3c97b48a297faef76e3a308de6b454d10a5b50adeb22336982ca5bd5ba3a1cacb39cfbaf78a3befbc37967eb89a7c84cfdd53054204647dffd5b35cd

Download Submit
\Users\Admin\AppData\Local\Temp\is-92A95.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-92A95.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2060-27-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2060-24-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2060-57-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2328-29-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2328-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2328-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2512-11-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2512-26-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2680-55-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download