35916e8b40ec27b8f3a931566a94f5a464dc9e5783c7fca1bdd194e7193bf0d7

Analysis

max time kernel
117s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db.exe
Size

369KB
MD5

b6c96e7e2111b5ee133675104824493c
SHA1

abf5259cbaf7e73721523719bee61a5586c47d21
SHA256

d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db
SHA512

3a4e395961ad70a806df4dd16ccac9ee6d692ffb4f7180c3409ad9dc8168c4f28f83b8201d3f2a7bde01f6bc820993881b85905e5768faf769a50649d1a096c0
SSDEEP

6144:2n6zJ4mHcCLCYTnWz79nWz7NYp6hYp6rvDLuimKkBREsVf+3Kg4:16m2QiQrfqREx4

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2384	MW5fajwHSsA8ySG.exe

Loads dropped DLL 1 IoCs

pid	Process
2228	d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MW5fajwHSsA8ySG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1764	ipconfig.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2372	2228	d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db.exe	31
PID 2228 wrote to memory of 2372	2228	d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db.exe	31
PID 2228 wrote to memory of 2372	2228	d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db.exe	31
PID 2228 wrote to memory of 2372	2228	d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db.exe	31
PID 2372 wrote to memory of 1764	2372	cmd.exe	33
PID 2372 wrote to memory of 1764	2372	cmd.exe	33
PID 2372 wrote to memory of 1764	2372	cmd.exe	33
PID 2372 wrote to memory of 1764	2372	cmd.exe	33
PID 2228 wrote to memory of 2384	2228	d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db.exe	34
PID 2228 wrote to memory of 2384	2228	d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db.exe	34
PID 2228 wrote to memory of 2384	2228	d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db.exe	34
PID 2228 wrote to memory of 2384	2228	d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db.exe	34

C:\Users\Admin\AppData\Local\Temp\d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db.exe
"C:\Users\Admin\AppData\Local\Temp\d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:1764
- C:\Users\Admin\AppData\Local\Temp\MW5fajwHSsA8ySG.exe
  "C:\Users\Admin\AppData\Local\Temp\MW5fajwHSsA8ySG.exe" s
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW5fajwHSsA8ySG.exe

Filesize
371KB

MD5
e182c531712bd6a577c209b51f7015bc

SHA1
2a2114d9f3cb2c6732c82b52bf6943bbc6b87ab0

SHA256
ecbf2f77d0fd99ba61f49c376c95e9e2223f0492b785b14a1e3d870e0d0889cb

SHA512
c553c6eb502ed75b252fb4a34b4af036c931102ee74d19a31fcd04d0949112943a3b969accc20c9ac620f1b9eb33ea5742f0c17d157a389f4ace90183dbe742b

Download Submit
memory/2228-0-0x00000000748F1000-0x00000000748F2000-memory.dmp

Filesize
4KB

Download
memory/2228-1-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/2228-2-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/2228-3-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/2228-4-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/2228-13-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/2228-14-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/2228-15-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download