545403ae8941712ac4f021d5867ac8df35a554d5754192c54da66f7b2a2d4e5f

Analysis

max time kernel
119s
max time network
127s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68b8408aa7c238f2f6646abb8c2ff32b.exe
Size

15KB
MD5

68b8408aa7c238f2f6646abb8c2ff32b
SHA1

1eec3953051baedef2f9b56dce1dd2673a6dff29
SHA256

46e5a4768db1d83d467431c07274873f38728339a82ceddfa9ca188d7e83cf93
SHA512

41a57f39395e031524cdca1ff5c23f0db206f24bd2bef8d5b9ab2c399e9a5eaf0c27a563a420a1f157221194847af130061462effb2293120cf15f9844e68801
SSDEEP

384:7OTxng39jk1pH+uURZt4dyK3OV1fksha4H94XGZlcvbFZ:AxQ9jupmRZbAOV1q4H9HZluhZ

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2252	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	68b8408aa7c238f2f6646abb8c2ff32b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2252	cmd.exe
2964	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2964	PING.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2440	2416	68b8408aa7c238f2f6646abb8c2ff32b.exe	30
PID 2416 wrote to memory of 2440	2416	68b8408aa7c238f2f6646abb8c2ff32b.exe	30
PID 2416 wrote to memory of 2440	2416	68b8408aa7c238f2f6646abb8c2ff32b.exe	30
PID 2416 wrote to memory of 2440	2416	68b8408aa7c238f2f6646abb8c2ff32b.exe	30
PID 2440 wrote to memory of 3000	2440	csc.exe	32
PID 2440 wrote to memory of 3000	2440	csc.exe	32
PID 2440 wrote to memory of 3000	2440	csc.exe	32
PID 2440 wrote to memory of 3000	2440	csc.exe	32
PID 2416 wrote to memory of 2252	2416	68b8408aa7c238f2f6646abb8c2ff32b.exe	33
PID 2416 wrote to memory of 2252	2416	68b8408aa7c238f2f6646abb8c2ff32b.exe	33
PID 2416 wrote to memory of 2252	2416	68b8408aa7c238f2f6646abb8c2ff32b.exe	33
PID 2416 wrote to memory of 2252	2416	68b8408aa7c238f2f6646abb8c2ff32b.exe	33
PID 2252 wrote to memory of 2964	2252	cmd.exe	35
PID 2252 wrote to memory of 2964	2252	cmd.exe	35
PID 2252 wrote to memory of 2964	2252	cmd.exe	35
PID 2252 wrote to memory of 2964	2252	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\68b8408aa7c238f2f6646abb8c2ff32b.exe
"C:\Users\Admin\AppData\Local\Temp\68b8408aa7c238f2f6646abb8c2ff32b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\avkgb0jd\avkgb0jd.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7F1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC652509A0112B42FE8C98ED7A2C1E5D0.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\68b8408aa7c238f2f6646abb8c2ff32b.exe" & move "갔갍갡갥갢.exe" "C:\Users\Admin\AppData\Local\Temp\68b8408aa7c238f2f6646abb8c2ff32b.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC7F1.tmp

Filesize
1KB

MD5
e1ae5ce09b324973dedbb41dd4b95c2f

SHA1
f5cbdcc6ea2410c96894f01be4c9cbaac4858f6e

SHA256
c01dc247f0b0b87b489c12b34eafab6bd5969731493983e9762459c44f0f83f5

SHA512
32e2b372180e46bf481891d619badd91a88b77ecac17e5cf07fa2af4237aab0542bcc3c21e526a75c83c7ef8abb6fbe3d0032ac2d010e39f81b86b211b5d0481

Download Submit
C:\Users\Admin\AppData\Local\Temp\갔갍갡갥갢.exe

Filesize
15KB

MD5
eb52d9779a6f4777eb06ae4fbc40b305

SHA1
22e0a9e1fbf957d2b1bf7d052d25a6c645434009

SHA256
f99f477ad454b4abd50bb89b51ae3b880303dbb12c1fc9d02b5492b9d70de99f

SHA512
fcc45637e357588ac786fd93cfdec8ed0ff903f72a761335920bc2305b04bde622974c8726d91dd4544079e999c6a5205549061317ab4a694836cca5a513eb34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC652509A0112B42FE8C98ED7A2C1E5D0.TMP

Filesize
1KB

MD5
0f9e73cd96cb93fe2902026b8a478b4c

SHA1
5471283c128bfa0dbfb1998a898ba3153a9da74b

SHA256
a67cb4f4b0987763fdaf6a728224c57792eecebce518877bb88ea6d18256f741

SHA512
be4b34f9cd9231337a4bfd495af4597f46d70fcc5f64ce43c2603642585d26ab70ed8e0c57bd8e652a6d2af84118d76efe0664ea6e438ed612ebd357d65c6d29

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\avkgb0jd\avkgb0jd.0.cs

Filesize
26KB

MD5
492e91e09fde6f5578b0eb55a58ac451

SHA1
31cf66ad76d6101d164748eb180bf9215d945a9c

SHA256
3153257a7fd4f86145c33c5aa30d314fd5b8558f3e6ff796706203157c1a6e45

SHA512
46907e743c53a13e3b585bc860599a50d215d17a63a0b6c74ca3009212437adcf451e1e4e8004938ee0779ce1c7134beb4e9971566c8f096018cadeaa13891d7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\avkgb0jd\avkgb0jd.cmdline

Filesize
275B

MD5
2fff8b1d79a13c195eb288ccad63d8c0

SHA1
a55bdfc8c4d8aa9e2a722556d0c6b4d9738b600b

SHA256
0842558ffec8b00b7eb6ef2d78d1f978400916ef043138080dcb3fb6f32fe0e2

SHA512
a3654da8c8f243679658071e600f89f80b6eec6aec0c22466075fe27f9c288517192b6a110af5d464fe0aa5de36d44c5ec87ca599db338f8b6b161030f5638e9

Download Submit
memory/2416-0-0x000000007499E000-0x000000007499F000-memory.dmp

Filesize
4KB

Download
memory/2416-1-0x0000000000900000-0x000000000090A000-memory.dmp

Filesize
40KB

Download
memory/2416-2-0x0000000000300000-0x0000000000308000-memory.dmp

Filesize
32KB

Download
memory/2416-3-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2416-16-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/2416-20-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads