286e0821c9dff60f28f608fbc48788495e4fc25616f718991a9b1979fce08cac

Analysis

max time kernel
136s
max time network
148s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:15 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0e8870a05aca75049ce841f3c69b1197885514c49e316acac199914998d2444.exe
Size

154KB
MD5

e030eb40be750f3fb66967ad6d098c37
SHA1

f4ad311180d5086be0e281af0f22f52ef9a7e2a2
SHA256

b0e8870a05aca75049ce841f3c69b1197885514c49e316acac199914998d2444
SHA512

7fbb246e5b97c876bb9ef6f85eabdc73129a15e23d45ee20953dc40de8363087715f9fe8f36aea7eea59019e10396db5539a4078f3d7c7c89b1dc8617088d131
SSDEEP

1536:2mZmg5zb02q/t6jOFvDO7slsF9PS24s+lSmSWQWOxzlAuT2oLkC1N5UbsGt3kcm5:JZmCb6ROF96zMq1yLAHtUcmKyR

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2800	MangerFolder.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0e8870a05aca75049ce841f3c69b1197885514c49e316acac199914998d2444.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MangerFolder.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2456	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 2032	1336	b0e8870a05aca75049ce841f3c69b1197885514c49e316acac199914998d2444.exe	31
PID 1336 wrote to memory of 2032	1336	b0e8870a05aca75049ce841f3c69b1197885514c49e316acac199914998d2444.exe	31
PID 1336 wrote to memory of 2032	1336	b0e8870a05aca75049ce841f3c69b1197885514c49e316acac199914998d2444.exe	31
PID 1336 wrote to memory of 2032	1336	b0e8870a05aca75049ce841f3c69b1197885514c49e316acac199914998d2444.exe	31
PID 2032 wrote to memory of 2456	2032	cmd.exe	33
PID 2032 wrote to memory of 2456	2032	cmd.exe	33
PID 2032 wrote to memory of 2456	2032	cmd.exe	33
PID 2032 wrote to memory of 2456	2032	cmd.exe	33
PID 2812 wrote to memory of 2800	2812	taskeng.exe	35
PID 2812 wrote to memory of 2800	2812	taskeng.exe	35
PID 2812 wrote to memory of 2800	2812	taskeng.exe	35
PID 2812 wrote to memory of 2800	2812	taskeng.exe	35

C:\Users\Admin\AppData\Local\Temp\b0e8870a05aca75049ce841f3c69b1197885514c49e316acac199914998d2444.exe
"C:\Users\Admin\AppData\Local\Temp\b0e8870a05aca75049ce841f3c69b1197885514c49e316acac199914998d2444.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Mangers" /tr "C:\Users\Admin\AppData\Local\MangerFolder.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Mangers" /tr "C:\Users\Admin\AppData\Local\MangerFolder.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2456

C:\Windows\system32\taskeng.exe
taskeng.exe {E4230C4D-26D8-42F7-8E7A-6239BFC8C902} S-1-5-21-677481364-2238709445-1347953534-1000:JXXXDSWS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Users\Admin\AppData\Local\MangerFolder.exe
  C:\Users\Admin\AppData\Local\MangerFolder.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2800

Network

DNS

soft.fileshipoo.com

MangerFolder.exe

Remote address:

8.8.8.8:53

Request

soft.fileshipoo.com

IN A

Response

soft.fileshipoo.com

IN A

76.223.54.146

soft.fileshipoo.com

IN A

13.248.169.48
POST

http://soft.fileshipoo.com/ford/submit_ticket.php

MangerFolder.exe

Remote address:

76.223.54.146:80

Request

POST /ford/submit_ticket.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: soft.fileshipoo.com
Content-Length: 218
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 405 Method Not Allowed

content-length: 0
POST

http://soft.fileshipoo.com/ford/submit_ticket.php

MangerFolder.exe

Remote address:

76.223.54.146:80

Request

POST /ford/submit_ticket.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: soft.fileshipoo.com
Content-Length: 218
Expect: 100-continue

Response

HTTP/1.1 405 Method Not Allowed

content-length: 0
POST

http://soft.fileshipoo.com/ford/submit_ticket.php

Remote address:

76.223.54.146:80

Request

POST /ford/submit_ticket.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: soft.fileshipoo.com
Content-Length: 218
Expect: 100-continue

Response

HTTP/1.1 405 Method Not Allowed

content-length: 0

76.223.54.146:80

http://soft.fileshipoo.com/ford/submit_ticket.php

http

MangerFolder.exe

672 B
266 B
6
5

HTTP Request

POST http://soft.fileshipoo.com/ford/submit_ticket.php

HTTP Response

405
76.223.54.146:80

http://soft.fileshipoo.com/ford/submit_ticket.php

http

MangerFolder.exe

648 B
266 B
6
5

HTTP Request

POST http://soft.fileshipoo.com/ford/submit_ticket.php

HTTP Response

405
76.223.54.146:80

http://soft.fileshipoo.com/ford/submit_ticket.php

http

656 B
182 B
6
3

HTTP Request

POST http://soft.fileshipoo.com/ford/submit_ticket.php

HTTP Response

405

8.8.8.8:53

soft.fileshipoo.com

dns

MangerFolder.exe

65 B
97 B
1
1

DNS Request

soft.fileshipoo.com

DNS Response

76.223.54.146

13.248.169.48

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MangerFolder.exe

Filesize
154KB

MD5
ca88b10433952fe3d07dd38277c8eb84

SHA1
d73feae781517b31e4953912170a84e04918c7d9

SHA256
c243bd322f5f8f4ef7ef79ccaa8a3b121490e302839bc53e6d9c874ffabf545d

SHA512
64841dd3e035de56054d219c5f546a25cebfd8d2e2e8ab074556b8f96591715c7cff6cfa92341c2e5b766eb6ed4986ba518ab2772549c75850104ffb1527ff28

Download Submit
memory/1336-0-0x0000000074011000-0x0000000074012000-memory.dmp

Filesize
4KB

Download
memory/1336-1-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download
memory/1336-2-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download
memory/1336-3-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download
memory/1336-6-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download
memory/1336-5-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.