Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02-08-2024 23:59
Static task
static1
Behavioral task
behavioral1
Sample
8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe
Resource
win7-20240708-en
General
-
Target
8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe
-
Size
1.2MB
-
MD5
3dc8ca829ea4639a0d78f05ae481eec0
-
SHA1
02bf8b9d26be7be2727bf980b5eb1e5e1c29bd0d
-
SHA256
8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366
-
SHA512
5162ee7aaaeabaf66280621bb239f47d3f8e66bc5fa9fee06083c60b9a7f5c27aa66b08dedca083e0e913ca8a9145e951c495fa327c31f822977243b46de8732
-
SSDEEP
24576:KSY88f02Q1HCEWN2ZIOlWZelqxKR8MdjGUZWXABvz5nhj6Mcg8:z88FCEHwxKliUZvBvphtP
Malware Config
Signatures
-
Loads dropped DLL 9 IoCs
Processes:
8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exepid process 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exedescription pid process target process PID 3032 set thread context of 2716 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exedescription pid process Token: SeDebugPrivilege 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exedescription pid process target process PID 3032 wrote to memory of 2716 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe PID 3032 wrote to memory of 2716 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe PID 3032 wrote to memory of 2716 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe PID 3032 wrote to memory of 2716 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe PID 3032 wrote to memory of 2716 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe PID 3032 wrote to memory of 2716 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe PID 3032 wrote to memory of 2716 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe PID 3032 wrote to memory of 2716 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe PID 3032 wrote to memory of 2716 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe PID 3032 wrote to memory of 2716 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe PID 3032 wrote to memory of 2716 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe PID 3032 wrote to memory of 2716 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe PID 3032 wrote to memory of 2716 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe PID 3032 wrote to memory of 2716 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe PID 3032 wrote to memory of 2716 3032 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe 8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe"C:\Users\Admin\AppData\Local\Temp\8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exeC:\Users\Admin\AppData\Local\Temp\8795a5b03ecbfefd9c2e72479025c3dde14313b04985ade80bf2eb21fff12366.exe2⤵PID:2716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD563fc996c75f5560acbe0a28dfee18f07
SHA1f07317e054060d5bc41b9c583ead723288e2cdd4
SHA256b1409c400b05819d175022c10ce322d20658cff102d5b78900d4cd2fc20a7dc9
SHA512dffe944844fccfa7fadf91326fc931b7536d25f1ce205cd9cafad0319402a2c79dbce96003f441433991eae3685d71cded6ed27a24e21d58463c009461fb5f7e
-
Filesize
21KB
MD52f52e1cc7eb9a7380dbf0d4ec24663bd
SHA17cd8cf6e15a87fa70a0065d4fa2e7cccd62bb85f
SHA256a62407aaa2d649a6bace93fa802408977844c6a4264df5d1713842b5fb98f386
SHA5128d5450f1ad0c237fc9ea076ecca1ea9667c9f560d6a264349320461ff4f35efaa64a0541167e3f8ad1a13f4f4ef453ec72b5e4d013b7a783a3fabbe1a4426002
-
Filesize
22KB
MD591e37a28b4ab1e638bd54084a298dad5
SHA16c3c1d79bb96585738108fafe3d7605183cb5dd9
SHA2560fe99fd185be2fdd7c8d26c972cda38fe14f39a6d4530951ce56fd743c64095e
SHA512ab3609b69dd33f4bf13aaac5f8ef0dbe9f5001884f068ff5c14ff1c2b529b460ba56bea35e901e16fb1eb133c25c42d9a0ac8db0c542ea4dd450449730efe5b2