23277d08d3004e141ee4a7881c9d95837cc0ae8910dc1ef8f37a9b9180982285

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/08/2024, 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

191183d7f4955f24e1efac60f3957a50N.exe
Size

32KB
MD5

191183d7f4955f24e1efac60f3957a50
SHA1

4d3e8f377b64262abd1c92f25f3322d3b8108d3e
SHA256

23277d08d3004e141ee4a7881c9d95837cc0ae8910dc1ef8f37a9b9180982285
SHA512

2197f4ae791663fd0ba2a8fef5b87ca0694c87ac1456a02a79ec77e1a160b0af28fabb4fca76883a3e25baeb31ed6556aaea623d0d7638c3764e6547a06aed48
SSDEEP

768:pVClzjrE/WtpDxP3X4GdAk4U+eCXwmKwisk:ps1HyWtpDxfX4GdAk4U+eCzKrsk

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
376	avgbrowse.exe

Loads dropped DLL 1 IoCs

pid	Process
2960	191183d7f4955f24e1efac60f3957a50N.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2960-0-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/2960-6-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/files/0x00090000000120fb-7.dat	upx
behavioral1/memory/376-8-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/376-11-0x0000000000400000-0x0000000000411000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	icanhazip.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	191183d7f4955f24e1efac60f3957a50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avgbrowse.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 376	2960	191183d7f4955f24e1efac60f3957a50N.exe	30
PID 2960 wrote to memory of 376	2960	191183d7f4955f24e1efac60f3957a50N.exe	30
PID 2960 wrote to memory of 376	2960	191183d7f4955f24e1efac60f3957a50N.exe	30
PID 2960 wrote to memory of 376	2960	191183d7f4955f24e1efac60f3957a50N.exe	30

C:\Users\Admin\AppData\Local\Temp\191183d7f4955f24e1efac60f3957a50N.exe
"C:\Users\Admin\AppData\Local\Temp\191183d7f4955f24e1efac60f3957a50N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\avgbrowse.exe
  C:\Users\Admin\AppData\Local\Temp\avgbrowse.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avgbrowse.exe

Filesize
32KB

MD5
6d401b1738d74075e98ab0d1241142df

SHA1
10c1942a1d7089b15c1b09999422b5db1f2a1823

SHA256
e0dcdb6cb2c269dc62eef1a8131576ad40c79c7ff17400788a4367a760f6b4dd

SHA512
80e23c6d21a62129022879ad0e1abe027570e2cc8a0819ee7e24267b6b706781e92c61bb24c43bd3fb638d7431c429ae5f808e3c36cae3c20ffb0d2f2498898d

Download Submit
memory/376-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/376-10-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/376-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2960-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2960-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download