4680fda34192d0274834b36fa2d083922a11edb760531356c93b07ae961ed4d8

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06/08/2024, 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37b6d904c13a7ab0f61df8e61bef9760N.exe
Size

390KB
MD5

37b6d904c13a7ab0f61df8e61bef9760
SHA1

c25da969b08ac17852264f6dffa6b39a840e2030
SHA256

4680fda34192d0274834b36fa2d083922a11edb760531356c93b07ae961ed4d8
SHA512

d482c75038739acb2c13a3d8a888321b3b45b7af51f48a794a689712a1c9b9ebfac895583c31a88f3dfeb6192b4a2e76405c9c86ada972e53f34d869b5f706c2
SSDEEP

12288:tSqQLZQRETdnspKyUWUn4OY5QQzzOPH1rJMP:E99JW64O7QzzM

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2156	appropriate.exe

Loads dropped DLL 2 IoCs

pid	Process
1712	37b6d904c13a7ab0f61df8e61bef9760N.exe
1712	37b6d904c13a7ab0f61df8e61bef9760N.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\development\appropriate.exe	37b6d904c13a7ab0f61df8e61bef9760N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37b6d904c13a7ab0f61df8e61bef9760N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	appropriate.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1712	37b6d904c13a7ab0f61df8e61bef9760N.exe
1712	37b6d904c13a7ab0f61df8e61bef9760N.exe
1712	37b6d904c13a7ab0f61df8e61bef9760N.exe
1712	37b6d904c13a7ab0f61df8e61bef9760N.exe
2156	appropriate.exe
2156	appropriate.exe
2156	appropriate.exe
2156	appropriate.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2156	1712	37b6d904c13a7ab0f61df8e61bef9760N.exe	30
PID 1712 wrote to memory of 2156	1712	37b6d904c13a7ab0f61df8e61bef9760N.exe	30
PID 1712 wrote to memory of 2156	1712	37b6d904c13a7ab0f61df8e61bef9760N.exe	30
PID 1712 wrote to memory of 2156	1712	37b6d904c13a7ab0f61df8e61bef9760N.exe	30

C:\Users\Admin\AppData\Local\Temp\37b6d904c13a7ab0f61df8e61bef9760N.exe
"C:\Users\Admin\AppData\Local\Temp\37b6d904c13a7ab0f61df8e61bef9760N.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Program Files\development\appropriate.exe
  "C:\Program Files\development\appropriate.exe" "33201"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\development\appropriate.exe

Filesize
390KB

MD5
28b1bc727b3ab5a23621f397b8afb193

SHA1
e258c9c0d76007ace3c13024e7a7398ba68c2414

SHA256
5d49b74984f16fdaa4d585a7caf9fe17e3ff72f50575e5a256667b1e9cdd998d

SHA512
c96d991654309f5cb5b5e7423a7ae2f2e53e6a0d41fd27432148eb62639367c8042d53e2ec6ce310afe2179b61cc8b2bf5e5ed67bb2b41a746c1dc12b5837f1b

Download Submit