a472e85d20b555086291d456c324d8d1b171fc39fddb5ef35e37fc2d55cf26c5

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b26ffab318f487f9bdd1bd162cf60030N.exe
Size

36KB
MD5

b26ffab318f487f9bdd1bd162cf60030
SHA1

4206c5471b24bb32cfce85efc16335f6b6c7f35b
SHA256

a472e85d20b555086291d456c324d8d1b171fc39fddb5ef35e37fc2d55cf26c5
SHA512

d318304bbddb0fca96809adb8f123b1a0cc4f5e48bd531255b8d5517c69b4e73ba732c6a2b8d492c7327c109a4b68c8fe0afaa347f98f4c18e58c02a8e8295f3
SSDEEP

384:6YwzAbTtITikpqIoxO6kA35c6ubEAPTCLYz+z4GJfblRiAFojdIwMDQOiJMVun:yAHt0Vu5IrM44TlhZwKQFJOun

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2680	fireupdater.exe

Loads dropped DLL 1 IoCs

pid	Process
836	b26ffab318f487f9bdd1bd162cf60030N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b26ffab318f487f9bdd1bd162cf60030N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fireupdater.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 2680	836	b26ffab318f487f9bdd1bd162cf60030N.exe	30
PID 836 wrote to memory of 2680	836	b26ffab318f487f9bdd1bd162cf60030N.exe	30
PID 836 wrote to memory of 2680	836	b26ffab318f487f9bdd1bd162cf60030N.exe	30
PID 836 wrote to memory of 2680	836	b26ffab318f487f9bdd1bd162cf60030N.exe	30
PID 836 wrote to memory of 2680	836	b26ffab318f487f9bdd1bd162cf60030N.exe	30
PID 836 wrote to memory of 2680	836	b26ffab318f487f9bdd1bd162cf60030N.exe	30
PID 836 wrote to memory of 2680	836	b26ffab318f487f9bdd1bd162cf60030N.exe	30

C:\Users\Admin\AppData\Local\Temp\b26ffab318f487f9bdd1bd162cf60030N.exe
"C:\Users\Admin\AppData\Local\Temp\b26ffab318f487f9bdd1bd162cf60030N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Local\Temp\fireupdater.exe
  "C:\Users\Admin\AppData\Local\Temp\fireupdater.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\fireupdater.exe

Filesize
36KB

MD5
1c702ef628e61ff6d1f1fb9e333e4835

SHA1
78c05fd3d7e6ec42c08acb4f0998ff59c04d5f67

SHA256
143b514466896c1c727b8ee641322653ce541d22af75e600e3083e35a4668749

SHA512
12b5d5f682490a5d2fe692dd18d8d4aea0fcd20ce9dc3e986441bfbf99e063415ae175d519d3d228edbff8b053971a96594e07b97b5c7044835bf57334633f99

Download Submit
memory/836-1-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/2680-8-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download