d68d39f6e8e3feb76604def44b3e6b84b1e12898973bb706bc973d5acfb313f3

Analysis

max time kernel
146s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7159d67905db8bd72ffa7889a805afa9.exe
Size

154KB
MD5

7159d67905db8bd72ffa7889a805afa9
SHA1

5d9c6a3ce820918978852f042d81600429b0f0a1
SHA256

d68d39f6e8e3feb76604def44b3e6b84b1e12898973bb706bc973d5acfb313f3
SHA512

7a5f69139edfd8eb2be8abdc42e8a24438f91a6b4960279fa4ad5036ec0a0515324af7c1a4ddd24e3d0aea45fc779ae4236905ca908270f7630cc3c000e0184e
SSDEEP

3072:y22ihA0m3BJP0A0v5CiJBqkp3O88VCca/VDILzRyTjZzb:tA0m3D0AUkkp1BI4nhb

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5056	BetterInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7159d67905db8bd72ffa7889a805afa9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BetterInstaller.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5056	BetterInstaller.exe
5056	BetterInstaller.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 5056	4248	7159d67905db8bd72ffa7889a805afa9.exe	87
PID 4248 wrote to memory of 5056	4248	7159d67905db8bd72ffa7889a805afa9.exe	87
PID 4248 wrote to memory of 5056	4248	7159d67905db8bd72ffa7889a805afa9.exe	87

C:\Users\Admin\AppData\Local\Temp\7159d67905db8bd72ffa7889a805afa9.exe
"C:\Users\Admin\AppData\Local\Temp\7159d67905db8bd72ffa7889a805afa9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Users\Admin\AppData\Local\Temp\BetterInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\BetterInstaller.exe" /affid "imagebadgerroox" /id "imagebadgercbnc" /name "ImageBadger"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BetterInstaller.exe

Filesize
207KB

MD5
d79b88bab3231ebebd3c6505ab68ce56

SHA1
3222e8dab740ba1d640cc66a9cd36070969deb80

SHA256
d4032354c8ca3b93fd18414d6a7935bcecb18f25534b2259eeaf7d3081ec13ec

SHA512
b8afbd52e74d8611714a33bd80a907be8080195bd574ceb0aa8ce44520c9cf6c40ccce4a4db9be0808b8b5a6b7b0fee17ee42f9cca67d69152dd1f1d8ddd99a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
98B

MD5
1c7a095b75ef7849dc48ad7b05b36af4

SHA1
a5614e1f80ad0776264acec3b35a3e0326aa1d1a

SHA256
7ed5c42e304cb13c36d8853f85fa804f41ae4052e847ecc2011dab6ff6426f08

SHA512
51c46fe4e30cbe4157d8b8bf8be67a154af2a546af42971f68d2d185c30c1b4c1ae540658e0ca0a24bae1baeeb0ddd0e3ddf3773de58a21eedfb318dd6523e49

Download Submit
memory/4248-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5056-15-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/5056-71-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download