Overview

overview

7

Static

static

3

12fb9625ee...0N.exe

windows7-x64

7

12fb9625ee...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/07/2024, 23:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12fb9625ee3d41450c3970da3f0cd0b0N.exe

  • Size

    2.7MB

  • MD5

    12fb9625ee3d41450c3970da3f0cd0b0

  • SHA1

    9b81575739c3730858d01394017733d123d2d671

  • SHA256

    d13d277ae6803395b9be657d5f748f0fafeff7d59125a7dadd9994319fc02610

  • SHA512

    b4adfacbb8c136fd13bd84a69e7e3a1d2437529c488ad67322b5100713d3f885ce2c0221210a63e4817c8d279706821c84c2040721220aee7c21e5bc39256ff5

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBV9w4S+:+R0pI/IQlUoMPdmpSpF4X

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12fb9625ee3d41450c3970da3f0cd0b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\12fb9625ee3d41450c3970da3f0cd0b0N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4612
    • C:\IntelprocSA\devbodloc.exe
      C:\IntelprocSA\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      PID:1292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocSA\devbodloc.exe
    Filesize

    2.7MB

    MD5

    19e3a99ccc7bffec8833c3112ace2ab2

    SHA1

    64c670a39ca67ac4ca73d2b9a116c4743b8e3c15

    SHA256

    9cd156705679753f4268e2ffe757f7076efabc659d6dbe95f5e5f76efe1f2463

    SHA512

    4c33100993c3e10783dadf670bdc57ef19a023eaf4ebb5e711617c145bec19ea1dfb19dd6580b2cdca8dd5f57dff664c472bb8799f25d08b58754394e4c36d16

    Download Submit

  • C:\MintRV\dobxloc.exe
    Filesize

    111KB

    MD5

    a1e993e40dd74019d52aa4bdabf41064

    SHA1

    febe01b64e766e8bd5f59317426127ad9d011f76

    SHA256

    fafb4b374cc41543a3ad13ab6ea05fe95282ccfd571129b868c72d3f54a9306d

    SHA512

    9f114ed5ce71db52ee79179edf39a5b732ce43f9080d1e871551f7d6bc1c11cee4240d7c3f5beba677433d3b05fd8bd7e81c43dbc5ba1f3b68ce0a34c1aed967

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    208B

    MD5

    9f197a87d6fa867f59caf2e9b99018bd

    SHA1

    dd53d3cddd0473828b5907baad9ec85c27ed9dd4

    SHA256

    1ded14f2076d8f313c1f81cba5078c62907f6f4355526e7f5904c844c23421f7

    SHA512

    f3c7c1878c347749640367b5f73658591437a80f4494f1c4441c6c071c166ffd2a60d77f879db39d44521577ea688f335e8f6eafd3afaeecd724cc1b27028283

    Download Submit