210c1f480313df1c659875776b91f28807055722a5e7bd3c97479a602f45e539

Analysis

max time kernel
17s
max time network
25s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

392b83dfe242f57ec8703a99d79f2a20N.exe
Size

28KB
MD5

392b83dfe242f57ec8703a99d79f2a20
SHA1

babe79b3649706350593acd01101cf324191d09c
SHA256

210c1f480313df1c659875776b91f28807055722a5e7bd3c97479a602f45e539
SHA512

3c13620fa44ca1d2efedcd551d28341065b323cba0ec2f65ef63f7828f0b3245b1b6f0558ac1a14e7522625597c7941913a206500884f83290b91772f1866052
SSDEEP

384:+7ZfapsmVHgRK/rJ1OetA8gA49lBrenVyG+txHBtNsmSJJEFk+zm0Jkzd:OpgTARK/rRggVGhBRAEy+zmWkB

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3008	updatepdf.exe

Loads dropped DLL 4 IoCs

pid	Process
1984	392b83dfe242f57ec8703a99d79f2a20N.exe
3008	updatepdf.exe
3008	updatepdf.exe
3008	updatepdf.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	392b83dfe242f57ec8703a99d79f2a20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updatepdf.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 3008	1984	392b83dfe242f57ec8703a99d79f2a20N.exe	30
PID 1984 wrote to memory of 3008	1984	392b83dfe242f57ec8703a99d79f2a20N.exe	30
PID 1984 wrote to memory of 3008	1984	392b83dfe242f57ec8703a99d79f2a20N.exe	30
PID 1984 wrote to memory of 3008	1984	392b83dfe242f57ec8703a99d79f2a20N.exe	30
PID 1984 wrote to memory of 3008	1984	392b83dfe242f57ec8703a99d79f2a20N.exe	30
PID 1984 wrote to memory of 3008	1984	392b83dfe242f57ec8703a99d79f2a20N.exe	30
PID 1984 wrote to memory of 3008	1984	392b83dfe242f57ec8703a99d79f2a20N.exe	30

C:\Users\Admin\AppData\Local\Temp\392b83dfe242f57ec8703a99d79f2a20N.exe
"C:\Users\Admin\AppData\Local\Temp\392b83dfe242f57ec8703a99d79f2a20N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\updatepdf.exe
  "C:\Users\Admin\AppData\Local\Temp\updatepdf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\updatepdf.exe

Filesize
28KB

MD5
201c710787e2feb33e5e99735b2ded85

SHA1
ea958270e39adc76c9311d99cafcad3252744f95

SHA256
800df32aa906022b5302ff92fdb168f227e7d98c363db5913f0665bd1d5784b7

SHA512
796fc4597803909606d9bb59181df33f4499f95d9357d2a4d75fc1102cd5e7bfa97f66ac1e087ed49bf76bc29c267cc6014acc02fe0d9ce536fbf4455084af86

Download Submit
memory/1984-1-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download