5e5d5458b8a025c2bc9a6e7998492989732967c9a1019b11d655200adf3686c7

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

820e99e0735f8d9d1de08e386589c506.exe
Size

15KB
MD5

820e99e0735f8d9d1de08e386589c506
SHA1

335b44f3ea73fc36519ca1f823f3afd7ce2c64dd
SHA256

701b77e509df1ce240271f9cc9ac874df64e593e0eb8f3cd207db9dcebbc22bc
SHA512

378353ffdafa706600a0a6c2efcf0bfa0d2d6eec948557a31667d9de2fccae6ac3fe735730ce4ed38210526834cfbdb1f549f48337cde2615d4cee3e78fc3e54
SSDEEP

384:8MrJk6GClRZt9qGOVNJk7ha4H949dyNx:hk6pRZPrOVh4H9wQx

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2760	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	820e99e0735f8d9d1de08e386589c506.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2760	cmd.exe
2664	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2664	PING.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2084	2248	820e99e0735f8d9d1de08e386589c506.exe	31
PID 2248 wrote to memory of 2084	2248	820e99e0735f8d9d1de08e386589c506.exe	31
PID 2248 wrote to memory of 2084	2248	820e99e0735f8d9d1de08e386589c506.exe	31
PID 2248 wrote to memory of 2084	2248	820e99e0735f8d9d1de08e386589c506.exe	31
PID 2084 wrote to memory of 3064	2084	csc.exe	33
PID 2084 wrote to memory of 3064	2084	csc.exe	33
PID 2084 wrote to memory of 3064	2084	csc.exe	33
PID 2084 wrote to memory of 3064	2084	csc.exe	33
PID 2248 wrote to memory of 2760	2248	820e99e0735f8d9d1de08e386589c506.exe	34
PID 2248 wrote to memory of 2760	2248	820e99e0735f8d9d1de08e386589c506.exe	34
PID 2248 wrote to memory of 2760	2248	820e99e0735f8d9d1de08e386589c506.exe	34
PID 2248 wrote to memory of 2760	2248	820e99e0735f8d9d1de08e386589c506.exe	34
PID 2760 wrote to memory of 2664	2760	cmd.exe	36
PID 2760 wrote to memory of 2664	2760	cmd.exe	36
PID 2760 wrote to memory of 2664	2760	cmd.exe	36
PID 2760 wrote to memory of 2664	2760	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\820e99e0735f8d9d1de08e386589c506.exe
"C:\Users\Admin\AppData\Local\Temp\820e99e0735f8d9d1de08e386589c506.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uqfrkwhp\uqfrkwhp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC8BE47614BEA4CE1B097F6C71765808D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\820e99e0735f8d9d1de08e386589c506.exe" & move "갣갯갆갇갉갭개.exe" "C:\Users\Admin\AppData\Local\Temp\820e99e0735f8d9d1de08e386589c506.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDF5.tmp

Filesize
1KB

MD5
4e8ec104662fbbc9041053cdabbb63ea

SHA1
693ff91a4636bf2947619f46bf0786e5885a1088

SHA256
e348c08371bb97db9401decb411a1967037abbf65d149dcf075ec807d303f645

SHA512
4df36345012bf0d6ce443addbf03931b9b5180d07b3753cf3b2d0b970bc320ee420dc59c2fb7bef9d0182883b2ce8faf8e9bbe6d4890cd627a389b2a0ed19a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\갣갯갆갇갉갭개.exe

Filesize
15KB

MD5
1331ce534f81637b3f1547bc89b70220

SHA1
da57a5a25f3bc4c3f80f998ad3cb399c0a9fa4ff

SHA256
8a1f18824e5443a26c3bb474f3136278d813dc887a06a96d72053133af1c9d63

SHA512
97079f35831cd7f56fe22e5d3b2ba2a9b2a2c03b27952c776ab969ed3525d0bb43c1c49a2c494c5c957b067a252fc595ceeea2477af380f869eb7f16c82f758d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCC8BE47614BEA4CE1B097F6C71765808D.TMP

Filesize
1KB

MD5
12904ca7143c82e45388901916c97292

SHA1
78e3e09604d525f43011c4ce3267d5e9c1675611

SHA256
41280608261476e35e7e62e7ef683842fe37a82630d3e54770fc9931368ed36e

SHA512
170ba8a8f065a78ae272fd948996edaf6f0181ee62ccdf1bbb3fb3cb7ee93a5bc7c8aaf51dcce08da5aefa59c41a6cc0d52bc64924fb7187b5ead27cee2f6669

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uqfrkwhp\uqfrkwhp.0.cs

Filesize
25KB

MD5
4a4bff9e50db86795838ee748f94912b

SHA1
6f308364cba7582601c354639b01e71dc9d2d378

SHA256
3616e80a039f40dfc35de9499f80c53156952678f82eefbd7b1b3351f39d2869

SHA512
236d43a9a250330728cbac338c8fb6caddb58ded0162eb458b24f1c90832ef3c1a76fe75e84a98873ea4582ec6074dc2fd7e503c29a8dffd14d10388efcd5005

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uqfrkwhp\uqfrkwhp.cmdline

Filesize
281B

MD5
6de1a7d4873fefd1995e186ca33614da

SHA1
64209d1f0d9a16cc1dcd93497af263da996cdd3c

SHA256
74e6ffe5b2332e9b8da5d0cddcdb1fb6e9a385ea978828bd6ca70038eae39937

SHA512
118f0cffbf069cee1c09b9570d4fd6f63bb3f6127952102ece0d06d57a15fd468c23fa41836f709706498dff140ab1b82cc58f48be8347b5acea86e3eac91eeb

Download Submit
memory/2248-0-0x000000007467E000-0x000000007467F000-memory.dmp

Filesize
4KB

Download
memory/2248-1-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/2248-2-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/2248-3-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download
memory/2248-16-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/2248-20-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads