d0c84de684eb7f79ba4644c51cc1eaca77180b160bd1897f33e749c50eed0035

Analysis

max time kernel
5s
max time network
0s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 04:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fixer.exe
Size

179KB
MD5

a07ce644f1b8a398a357f33e7e5c4925
SHA1

bdb5a70e5e49732c2f69c5376e79cd6991c34cf0
SHA256

cdceb6d70ed395f11df4f910242df41f346a89018390e01ea6386ba4fd8bcb82
SHA512

dd054b2a345e24cfb87e7eb0693c4b407d5b1ae732f3d2ced2249690fa97516c43583b5da293273b0afa36163e86ad68c05b18869cf14789eb2f02d5373e7ff3
SSDEEP

3072:2qFfHgTWmCRkGbKGLeNTBfPD5yn37SSZaMph5pAQl1neZEyVVP/QXZgLWhPOqc:N5aWbksiNTB3NW7VaMphDPcZEgaZhwqc

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fixer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2592	shutdown.exe
Token: SeRemoteShutdownPrivilege	2592	shutdown.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2736	2776	fixer.exe	31
PID 2776 wrote to memory of 2736	2776	fixer.exe	31
PID 2776 wrote to memory of 2736	2776	fixer.exe	31
PID 2776 wrote to memory of 2736	2776	fixer.exe	31
PID 2736 wrote to memory of 2592	2736	cmd.exe	32
PID 2736 wrote to memory of 2592	2736	cmd.exe	32
PID 2736 wrote to memory of 2592	2736	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\fixer.exe
"C:\Users\Admin\AppData\Local\Temp\fixer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\54D4.tmp\54D5.tmp\54D6.bat C:\Users\Admin\AppData\Local\Temp\fixer.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\system32\shutdown.exe
    shutdown.exe -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\54D4.tmp\54D5.tmp\54D6.bat

Filesize
90KB

MD5
0697e37735f7537eb5aba6ef456b8f6a

SHA1
8e75547dd903fa5da742e75b1475269f5c16b1a1

SHA256
15a25b941f99ed516c47af2c69e73fc81921ac4b125c612ec73b8883516435e5

SHA512
3e84eed741e403c6c693291c5610184113bf13a0bb4929afe19c431f0987e8acb137f571192a39da4016ceef1711bebc9f2f69e6a14b68dd51ee13a205ea380e

Download Submit