f4111d30be32600233ad61440ff2f9a6484f3ba6c04fae4b522fc09ab0de3831

Analysis

max time kernel
7s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

487afaa2421384f1449a96637df558b4.exe
Size

15KB
MD5

487afaa2421384f1449a96637df558b4
SHA1

87f9edc71b13f5bb1b87e0369e531ee6d17aff4d
SHA256

b6fd976bea3755f5b73802548928b389789584076b9d5a3e5d42642792707cdd
SHA512

905765c455b15e2221e92cb42abb075aac1bb8add344f4e8a4d9334361239d741077918f9d04f21effbb3c72f19124521bc097170099d6a31b802c523b2b6985
SSDEEP

384:o7y8xJoeC71aRZtKBl9vOVUkgha4H94jWjel0:oek65URZWnvOVJ4H9XA0

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	487afaa2421384f1449a96637df558b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2900	cmd.exe
3060	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3060	PING.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2924	2428	487afaa2421384f1449a96637df558b4.exe	31
PID 2428 wrote to memory of 2924	2428	487afaa2421384f1449a96637df558b4.exe	31
PID 2428 wrote to memory of 2924	2428	487afaa2421384f1449a96637df558b4.exe	31
PID 2428 wrote to memory of 2924	2428	487afaa2421384f1449a96637df558b4.exe	31
PID 2924 wrote to memory of 1260	2924	csc.exe	33
PID 2924 wrote to memory of 1260	2924	csc.exe	33
PID 2924 wrote to memory of 1260	2924	csc.exe	33
PID 2924 wrote to memory of 1260	2924	csc.exe	33
PID 2428 wrote to memory of 2900	2428	487afaa2421384f1449a96637df558b4.exe	34
PID 2428 wrote to memory of 2900	2428	487afaa2421384f1449a96637df558b4.exe	34
PID 2428 wrote to memory of 2900	2428	487afaa2421384f1449a96637df558b4.exe	34
PID 2428 wrote to memory of 2900	2428	487afaa2421384f1449a96637df558b4.exe	34
PID 2900 wrote to memory of 3060	2900	cmd.exe	36
PID 2900 wrote to memory of 3060	2900	cmd.exe	36
PID 2900 wrote to memory of 3060	2900	cmd.exe	36
PID 2900 wrote to memory of 3060	2900	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\487afaa2421384f1449a96637df558b4.exe
"C:\Users\Admin\AppData\Local\Temp\487afaa2421384f1449a96637df558b4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vbmru0tn\vbmru0tn.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2F8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC806941BFE44343A49EB269F3C8DD6037.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1260
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\487afaa2421384f1449a96637df558b4.exe" & move "갌갉갈감갍개갏갭갡갢갡갨갨.exe" "C:\Users\Admin\AppData\Local\Temp\487afaa2421384f1449a96637df558b4.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD2F8.tmp

Filesize
1KB

MD5
1bf24b67d7c87af946b00d41570ed062

SHA1
3ee3fe3f286c5c26a48d5ffce25a7d062ed53cae

SHA256
70bcc1c1b767501b8cc52f48ccf4c98f1bbc20c2ae4604955580c1c2aa28a7bf

SHA512
8001e85fa201520a462cc36e5cae168f240dbd9d95b5b6ba39af8dedc5660e0de74d5c1f41c2229f2044b8fecc9b0e2612eb8f73527cbb097892e10f4ed0814d

Download Submit
C:\Users\Admin\AppData\Local\Temp\갌갉갈감갍개갏갭갡갢갡갨갨.exe

Filesize
15KB

MD5
5a70ad8b398b00600df7bea34fcf99a5

SHA1
cac3025ef09753e14765950a32e27d465e87b9b5

SHA256
48d14a03e22119ef315ec8cc0be65cb5a471a815a0743ba579c871388ddb0316

SHA512
0e7fb8095acb232d20e3931e6a45ff60ee959b21b178fbf3247839e44b26cf3196ec6e0cd04578fd55a148a57eb0da2867ca0969aba59a5f67efe4d66513b2cd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC806941BFE44343A49EB269F3C8DD6037.TMP

Filesize
1KB

MD5
79dd75c66f0f37e60756d4056df72b00

SHA1
3afbb2a7abbf8d510e12925008eef39c2b9b2b76

SHA256
54cc91a8c4dfc5c074d30c56ec0119314f2cfdee9061480ed3ba93a5f1c82a75

SHA512
dc6fdba22c42075e1e58fc5b1b97722eb3dcfccaabb5b56a3905ac4c789da1023937b743892175776c10f5af51bc84e5b28199458d87982b5d5d2ddcc6566aec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vbmru0tn\vbmru0tn.0.cs

Filesize
25KB

MD5
7eff2cca5c0e7e3c5c2604bee5103524

SHA1
b1cf02f78e6d9f1c2009e6f89f8ae8530afe6e6a

SHA256
18f427f589ece62f69a1d4f47bd902d8f4d322cd1766358768268e9b983a48c5

SHA512
4676f3d5f628729e5d8ac3d19623d19b99b5bad2ff37fbecf2fbe0688cc59c0085788458edba29c2bef4896ae38b1c50a5d89fb3c0354adf654f90cf1154469c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vbmru0tn\vbmru0tn.cmdline

Filesize
299B

MD5
b7602bf29172e194d99cb34df938004c

SHA1
383e578d93173c8088ec2d6c84bf06a9a05720a5

SHA256
b2a1ff966547167e5b76740a2f28f5e7cd5bf7893ac68abb3354848ee57173bb

SHA512
f45796fc7a5f86d60b99edbd0146b3c48ff202accc3053271e76e2799f71d1bc4674aacf24d463c43827c49a5b338c79c69a80eb22aa0d4fb786c46365c2f84d

Download Submit
memory/2428-0-0x00000000740CE000-0x00000000740CF000-memory.dmp

Filesize
4KB

Download
memory/2428-1-0x0000000000830000-0x000000000083A000-memory.dmp

Filesize
40KB

Download
memory/2428-2-0x0000000000210000-0x0000000000218000-memory.dmp

Filesize
32KB

Download
memory/2428-3-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2428-20-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2428-16-0x00000000004D0000-0x00000000004DA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads