ef192d2c63771d4cadc214fd81550d1b2a69ec5cc8123c9431fc465a1e77eee5

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f226e4dff8aa1c6db7437faf9be9f000N.exe
Size

73KB
MD5

f226e4dff8aa1c6db7437faf9be9f000
SHA1

0f196d8e7ef86a066541fc1ea89af8c470f42c38
SHA256

ef192d2c63771d4cadc214fd81550d1b2a69ec5cc8123c9431fc465a1e77eee5
SHA512

561646556b36d85a077053671cc0a139cd71a98d7dd1c03c978088cc8ac8095621f4af5e244c0a5ce252c190e5b051613956f1fd435345735f8cf454e79aa6e2
SSDEEP

768:tCru/f9UwlEsezy4n8uZ5tUXMJ+fROUmELY2glEbM3j+rd+fpRuO4TW7ReOOJ:dRIzy48untU8fOMEI3jyYfPT4wOJ

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f226e4dff8aa1c6db7437faf9be9f000N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexpress.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	makecab.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2244	2548	f226e4dff8aa1c6db7437faf9be9f000N.exe	30
PID 2548 wrote to memory of 2244	2548	f226e4dff8aa1c6db7437faf9be9f000N.exe	30
PID 2548 wrote to memory of 2244	2548	f226e4dff8aa1c6db7437faf9be9f000N.exe	30
PID 2548 wrote to memory of 2244	2548	f226e4dff8aa1c6db7437faf9be9f000N.exe	30
PID 2244 wrote to memory of 2712	2244	cmd.exe	31
PID 2244 wrote to memory of 2712	2244	cmd.exe	31
PID 2244 wrote to memory of 2712	2244	cmd.exe	31
PID 2244 wrote to memory of 2712	2244	cmd.exe	31
PID 2712 wrote to memory of 2820	2712	iexpress.exe	32
PID 2712 wrote to memory of 2820	2712	iexpress.exe	32
PID 2712 wrote to memory of 2820	2712	iexpress.exe	32
PID 2712 wrote to memory of 2820	2712	iexpress.exe	32

C:\Users\Admin\AppData\Local\Temp\f226e4dff8aa1c6db7437faf9be9f000N.exe
"C:\Users\Admin\AppData\Local\Temp\f226e4dff8aa1c6db7437faf9be9f000N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\E022.tmp\1.bat" "C:\Users\Admin\AppData\Local\Temp\f226e4dff8aa1c6db7437faf9be9f000N.exe""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\iexpress.exe
    iexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\popup.sed
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\makecab.exe
      C:\Windows\SysWOW64\makecab.exe /f "~%TargetName%.DDF"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E022.tmp\1.bat

Filesize
1KB

MD5
02dba5f37067292355c6d01a57d4ef48

SHA1
7c67ab3f99fbf7a53018dd295d2968c525db83d9

SHA256
8b74c812ba9e6c536da7edd4101e7e0dddeab8355e5aff095dd31b3f00560242

SHA512
12201f949ee3198c8f4b39cc8edf90a114ecf42ddd5383ed0b87e4c78053cd517786dc7af83557e63a0483af74f4c0117d5568441ae761ff6958e758704d602a

Download Submit
C:\Users\Admin\AppData\Local\Temp\popup.sed

Filesize
74KB

MD5
24af4568bd4ec123fe1397217284b6df

SHA1
ea14c0afa4cc17b8696ca94b657a0b802a48621e

SHA256
928d3491cf03bf57b67ab4e062b4f716f47509ff6a9902f9eef6c799bda2fdf6

SHA512
743dbcf53ec09bb88f64da1530b07e2139dfdab25ad34b35f5f84f6b96182e4120f12cd3ffe0e7e4f848093ed1facb2955df4f205419ddbb02e4ce499ca11cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\~%TargetName%.DDF

Filesize
724B

MD5
c3ca008abd6997c4b036a7e8be75cb2c

SHA1
05f7a3527bb04c691b08f040f562582035398829

SHA256
29ef6bf47dcc8c67f1abe1b269d3518d6a4ebe125daa1ea460779638cb9782a3

SHA512
bee0baf3cb83144239077f99f5ca2a6ca7b618f7f51a53e03613ae697e8bc76fa28f5d006296b469be8e1fffeeb35668b5fe87b260b1380cc003815ea9efb083

Download Submit
memory/2548-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2548-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download