474f5a044dba8065d5a8f75d6753a9181a23f5dfb511db45a5127c93d6b7522a

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
28/07/2024, 01:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

34799e735aa9445ca94c7a00349a1f0f.exe
Size

51KB
MD5

34799e735aa9445ca94c7a00349a1f0f
SHA1

8b4a862b4da8a19c1e5c1527f0004224b0933541
SHA256

474f5a044dba8065d5a8f75d6753a9181a23f5dfb511db45a5127c93d6b7522a
SHA512

d3e4ae61af34ef57c5d8babfbc930f44db120db91b8ee94209f40a75f37d81d0947dd15ecf3d6e036fb4b9e5c0ece9ee8ed7c79cafce57a6826115d59801e1ef
SSDEEP

768:vQz7yVEhs9+js1SQtOOtEvwDpjz9+4/Uth8igNrr42A7n0FmB0nd7:vj+jsMQMOtEvwDpj5HczerLO04Ba7

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1180	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
1732	34799e735aa9445ca94c7a00349a1f0f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34799e735aa9445ca94c7a00349a1f0f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	misid.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1180	1732	34799e735aa9445ca94c7a00349a1f0f.exe	29
PID 1732 wrote to memory of 1180	1732	34799e735aa9445ca94c7a00349a1f0f.exe	29
PID 1732 wrote to memory of 1180	1732	34799e735aa9445ca94c7a00349a1f0f.exe	29
PID 1732 wrote to memory of 1180	1732	34799e735aa9445ca94c7a00349a1f0f.exe	29

C:\Users\Admin\AppData\Local\Temp\34799e735aa9445ca94c7a00349a1f0f.exe
"C:\Users\Admin\AppData\Local\Temp\34799e735aa9445ca94c7a00349a1f0f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
51KB

MD5
69cf097398d11fd763604fd90909ded0

SHA1
7e73cc2a0ab411c2816246842c16ca1ea627964f

SHA256
692e9155ea865888066fa7897e40f886da38cf45395547efab13d481c6fffd26

SHA512
acc44ac2c10058da9589fa7acc71da88d2370c0e212a2a55c615bfd3d5775cbdeca14355e7c61cfbc0371ea9d3d7ce78fafb2898afadb56b5819d9679db00480

Download Submit
memory/1180-16-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/1180-15-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1732-8-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/1732-1-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/1732-0-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download