Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
06/08/2024, 01:17
Static task
static1
Behavioral task
behavioral1
Sample
37b6d904c13a7ab0f61df8e61bef9760N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
37b6d904c13a7ab0f61df8e61bef9760N.exe
Resource
win10v2004-20240802-en
General
-
Target
37b6d904c13a7ab0f61df8e61bef9760N.exe
-
Size
390KB
-
MD5
37b6d904c13a7ab0f61df8e61bef9760
-
SHA1
c25da969b08ac17852264f6dffa6b39a840e2030
-
SHA256
4680fda34192d0274834b36fa2d083922a11edb760531356c93b07ae961ed4d8
-
SHA512
d482c75038739acb2c13a3d8a888321b3b45b7af51f48a794a689712a1c9b9ebfac895583c31a88f3dfeb6192b4a2e76405c9c86ada972e53f34d869b5f706c2
-
SSDEEP
12288:tSqQLZQRETdnspKyUWUn4OY5QQzzOPH1rJMP:E99JW64O7QzzM
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2156 appropriate.exe -
Loads dropped DLL 2 IoCs
pid Process 1712 37b6d904c13a7ab0f61df8e61bef9760N.exe 1712 37b6d904c13a7ab0f61df8e61bef9760N.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\development\appropriate.exe 37b6d904c13a7ab0f61df8e61bef9760N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 37b6d904c13a7ab0f61df8e61bef9760N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language appropriate.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 1712 37b6d904c13a7ab0f61df8e61bef9760N.exe 1712 37b6d904c13a7ab0f61df8e61bef9760N.exe 1712 37b6d904c13a7ab0f61df8e61bef9760N.exe 1712 37b6d904c13a7ab0f61df8e61bef9760N.exe 2156 appropriate.exe 2156 appropriate.exe 2156 appropriate.exe 2156 appropriate.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1712 wrote to memory of 2156 1712 37b6d904c13a7ab0f61df8e61bef9760N.exe 30 PID 1712 wrote to memory of 2156 1712 37b6d904c13a7ab0f61df8e61bef9760N.exe 30 PID 1712 wrote to memory of 2156 1712 37b6d904c13a7ab0f61df8e61bef9760N.exe 30 PID 1712 wrote to memory of 2156 1712 37b6d904c13a7ab0f61df8e61bef9760N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\37b6d904c13a7ab0f61df8e61bef9760N.exe"C:\Users\Admin\AppData\Local\Temp\37b6d904c13a7ab0f61df8e61bef9760N.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Program Files\development\appropriate.exe"C:\Program Files\development\appropriate.exe" "33201"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2156
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
390KB
MD528b1bc727b3ab5a23621f397b8afb193
SHA1e258c9c0d76007ace3c13024e7a7398ba68c2414
SHA2565d49b74984f16fdaa4d585a7caf9fe17e3ff72f50575e5a256667b1e9cdd998d
SHA512c96d991654309f5cb5b5e7423a7ae2f2e53e6a0d41fd27432148eb62639367c8042d53e2ec6ce310afe2179b61cc8b2bf5e5ed67bb2b41a746c1dc12b5837f1b