7f9200d64a0be596d0c01b1853ff6ef6d3d0799286265a1b95e2e61de611a15c

Analysis

max time kernel
103s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a04118012045becdd097be62c145e00N.exe
Size

65KB
MD5

7a04118012045becdd097be62c145e00
SHA1

51bfbdfb5b158492a546a813e9611107d7bad7f6
SHA256

7f9200d64a0be596d0c01b1853ff6ef6d3d0799286265a1b95e2e61de611a15c
SHA512

5a2a0326aaffbc77606898e9979fb1c96a47762359e74651407eecf4a51e51eec05ea48e4c979815fda16e0a1c11e058691ae800809e90ac949ac7771b75a0ed
SSDEEP

768:ErzHIr42KUtWafMjFDWkCO05EsCC/s3NhfAoiDCIElPbAX2n0fjr:Er9ZaidWVOEE3NxweIElDAmnqjr

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1480	rmass.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000900000002346b-3.dat	upx
behavioral2/memory/1480-4-0x0000000000400000-0x0000000000412000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rmass.exe	7a04118012045becdd097be62c145e00N.exe
File opened for modification	C:\Windows\SysWOW64\rmass.exe	7a04118012045becdd097be62c145e00N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a04118012045becdd097be62c145e00N.exe

C:\Users\Admin\AppData\Local\Temp\7a04118012045becdd097be62c145e00N.exe
"C:\Users\Admin\AppData\Local\Temp\7a04118012045becdd097be62c145e00N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4032
- C:\Windows\SysWOW64\rmass.exe
  "C:\Windows\SysWOW64\rmass.exe"
  2⤵
  - Executes dropped EXE
  PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rmass.exe

Filesize
62KB

MD5
77a4c21fcb8f862e4fe0d8e5dc856e6b

SHA1
7472cf691767f0988fa485079a0485aaf49d684d

SHA256
80dd66cc00249029f4743607aef8d1c2fefb46497dc4a1d3e6e330c58a4debe8

SHA512
a3a1c8412b04409f1ba864e13b6559ad3c9299b6c96e42b61252e0d7400b21f52422ac13537a70e075ca9bd3b60a550fc8b540d7a83e05e2507812b6581012de

Download Submit
memory/1480-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4032-0-0x0000000077752000-0x0000000077753000-memory.dmp

Filesize
4KB

Download
memory/4032-5-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download