01acf24e5951a2d6d9723153be9bded08a12a93eb0d2d23296e46946398ad47d

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03-08-2024 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfsdfsefsdf.exe
Size

314KB
MD5

1e70b1f2dfa3d0fac7676bf4c640ab26
SHA1

212ec263d1ad3d8b253ab333add181f05ab29f5f
SHA256

01acf24e5951a2d6d9723153be9bded08a12a93eb0d2d23296e46946398ad47d
SHA512

599a624c274069f011c580419dab9484b1efd23881cadb1b740809c6a29325ff2d2b3b0b828ea9ba0d37e83fb524b8d5052b8a9151be56b9d6cc503cedefb9c9
SSDEEP

6144:CUGv5Qw2U2sdKRUtlKZIIHDmu+Bi2OQbQzyu:qvOwrrdPIauCysQP

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3068	dfsdfsefsdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfsdfsefsdf.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3068	dfsdfsefsdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	dfsdfsefsdf.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2388	3068	dfsdfsefsdf.exe	30
PID 3068 wrote to memory of 2388	3068	dfsdfsefsdf.exe	30
PID 3068 wrote to memory of 2388	3068	dfsdfsefsdf.exe	30
PID 3068 wrote to memory of 2388	3068	dfsdfsefsdf.exe	30

C:\Users\Admin\AppData\Local\Temp\dfsdfsefsdf.exe
"C:\Users\Admin\AppData\Local\Temp\dfsdfsefsdf.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\temp\notepad.exe
  C:\Windows\temp\notepad.exe
  2⤵
  PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Temp\notepad.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
memory/3068-0-0x0000000074861000-0x0000000074862000-memory.dmp

Filesize
4KB

Download
memory/3068-1-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download
memory/3068-2-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download
memory/3068-7-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download
memory/3068-8-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download