9a3d1cd3820c0296f76898ba10613fcf132e7bc059d940abfe0199b483badd33

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Crack/Regpatch.exe
Size

4KB
MD5

70f12c23265cab36b3817b99714734cf
SHA1

6effeb8357ec71a5935ed577ca93a474edb6f378
SHA256

55fec40192793d3ab278cdd26922c21e5ec7eb572c93530dfcb506a9232f7a7d
SHA512

c946ee7b624c651627b7dcc05dc0cd40ad9cb9e633b7ee2ca0e19a2dc7e1a76ab46e13fdcca54a1b58ef85939ad3fc58425638fa27bae4693f0e29fdc5659967
SSDEEP

48:6+1iLxvt+Pqzry5PnUpB/S1cYzr66NaYJiSolIKEVB1BtsehEW2QGI6ctbcSen//:/0Lxl+PqzO/9W6R3LT2ojSUOogOK/v

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regpatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1536	regedit.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1536	2088	Regpatch.exe	30
PID 2088 wrote to memory of 1536	2088	Regpatch.exe	30
PID 2088 wrote to memory of 1536	2088	Regpatch.exe	30
PID 2088 wrote to memory of 1536	2088	Regpatch.exe	30
PID 2088 wrote to memory of 1536	2088	Regpatch.exe	30
PID 2088 wrote to memory of 1536	2088	Regpatch.exe	30
PID 2088 wrote to memory of 1536	2088	Regpatch.exe	30

C:\Users\Admin\AppData\Local\Temp\Crack\Regpatch.exe
"C:\Users\Admin\AppData\Local\Temp\Crack\Regpatch.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe -s C:\ParaTemp.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ParaTemp.reg

Filesize
144B

MD5
26286862d63655287ae8bf2a7c4d9b30

SHA1
2c92aac7a2005ceef33d50b85541e504001d57b1

SHA256
0f83f55e5e18a02476e4c0f976f1bde36b509074e60db199a7c4e6643b482545

SHA512
6dce6bd5dfe67081b01a2ea24d1ee3875073ff53821ed381d2079addb9624b8bb3e9b5a147330d962e9b689606ae7639d4c1b4b4ea9add9f027bde91306f10ab

Download Submit
memory/2088-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2088-2-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/2088-1-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/2088-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download