84b4f4326535e3e7d0e1fcc14a2d75788c0265de8cd038caa063bed8b3227d60

Analysis

max time kernel
102s
max time network
38s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02-08-2024 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a9ed3fbc7560bce4f4d32bf102a70a0N.exe
Size

334KB
MD5

1a9ed3fbc7560bce4f4d32bf102a70a0
SHA1

7f5804d81a2fda0a3c6556ddd668e7be0cca7baf
SHA256

84b4f4326535e3e7d0e1fcc14a2d75788c0265de8cd038caa063bed8b3227d60
SHA512

931414d584ab82a66bc8925dbb63a6684aea3d33aac4116cdaf15267614d309131465b7e804fb23962267610b4483688fa237ad2aa88515567240b2ba0a092ef
SSDEEP

6144:ptN0AF77JPbiMTa/IqLLxj+Zei/ypAShGhSG:fSYFz/TuL1DASh4SG

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a9ed3fbc7560bce4f4d32bf102a70a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
988	dw20.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 988	2564	1a9ed3fbc7560bce4f4d32bf102a70a0N.exe	30
PID 2564 wrote to memory of 988	2564	1a9ed3fbc7560bce4f4d32bf102a70a0N.exe	30
PID 2564 wrote to memory of 988	2564	1a9ed3fbc7560bce4f4d32bf102a70a0N.exe	30
PID 2564 wrote to memory of 988	2564	1a9ed3fbc7560bce4f4d32bf102a70a0N.exe	30

C:\Users\Admin\AppData\Local\Temp\1a9ed3fbc7560bce4f4d32bf102a70a0N.exe
"C:\Users\Admin\AppData\Local\Temp\1a9ed3fbc7560bce4f4d32bf102a70a0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 964
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/988-10-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/988-12-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2564-0-0x0000000074A21000-0x0000000074A22000-memory.dmp

Filesize
4KB

Download
memory/2564-1-0x0000000074A20000-0x0000000074FCB000-memory.dmp

Filesize
5.7MB

Download
memory/2564-2-0x0000000074A20000-0x0000000074FCB000-memory.dmp

Filesize
5.7MB

Download
memory/2564-11-0x0000000074A20000-0x0000000074FCB000-memory.dmp

Filesize
5.7MB

Download