9c945dbe7845d5e537ea37b1578eda27fa143113044216c3849b1d8506434c51

Analysis

max time kernel
111s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25-08-2024 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3f5301c3beceb928be7f4d2493ca690N.exe
Size

2.1MB
MD5

f3f5301c3beceb928be7f4d2493ca690
SHA1

903071b141cc3eb47b30bde567e5647fa59e90ff
SHA256

9c945dbe7845d5e537ea37b1578eda27fa143113044216c3849b1d8506434c51
SHA512

4e93d24e5b8f880a84b2dd90810bf78ac14051ab272482c53f3cef2d04544c7b23fc86e70b91c0a2d3629df15add5208ba20688d4f54e5f0747e031b0fda7a08
SSDEEP

24576:O4nXu4IBSt3nIdtrczgPfEtc+1XRqAQkkddlsthaaV2AsO0IhTYnqbxK91dhXBLx:OqeLSsmhaaYXO0kTLbxKzqf3obvQMy

Score

6^/10

discovery

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version	f3f5301c3beceb928be7f4d2493ca690N.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast\Version	f3f5301c3beceb928be7f4d2493ca690N.tmp

Executes dropped EXE 1 IoCs

pid	Process
2392	f3f5301c3beceb928be7f4d2493ca690N.tmp

Loads dropped DLL 3 IoCs

pid	Process
2316	f3f5301c3beceb928be7f4d2493ca690N.exe
2392	f3f5301c3beceb928be7f4d2493ca690N.tmp
2392	f3f5301c3beceb928be7f4d2493ca690N.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3f5301c3beceb928be7f4d2493ca690N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3f5301c3beceb928be7f4d2493ca690N.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2392	f3f5301c3beceb928be7f4d2493ca690N.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2392	2316	f3f5301c3beceb928be7f4d2493ca690N.exe	30
PID 2316 wrote to memory of 2392	2316	f3f5301c3beceb928be7f4d2493ca690N.exe	30
PID 2316 wrote to memory of 2392	2316	f3f5301c3beceb928be7f4d2493ca690N.exe	30
PID 2316 wrote to memory of 2392	2316	f3f5301c3beceb928be7f4d2493ca690N.exe	30
PID 2316 wrote to memory of 2392	2316	f3f5301c3beceb928be7f4d2493ca690N.exe	30
PID 2316 wrote to memory of 2392	2316	f3f5301c3beceb928be7f4d2493ca690N.exe	30
PID 2316 wrote to memory of 2392	2316	f3f5301c3beceb928be7f4d2493ca690N.exe	30

C:\Users\Admin\AppData\Local\Temp\f3f5301c3beceb928be7f4d2493ca690N.exe
"C:\Users\Admin\AppData\Local\Temp\f3f5301c3beceb928be7f4d2493ca690N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\is-50UQ4.tmp\f3f5301c3beceb928be7f4d2493ca690N.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-50UQ4.tmp\f3f5301c3beceb928be7f4d2493ca690N.tmp" /SL5="$400F4,1333810,894464,C:\Users\Admin\AppData\Local\Temp\f3f5301c3beceb928be7f4d2493ca690N.exe"
  2⤵
  - Checks for any installed AV software in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-3G323.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-3G323.tmp\idp.dll

Filesize
247KB

MD5
45ead1b24bca99652f354fafaaaaa7b2

SHA1
b9efd6e76e73f173c9afdc0acc3747ba4379def1

SHA256
1bc9d2e167b855ac68f0ad59f039b472544369ad5ac40b300c696cd5caa5c2c6

SHA512
f362e6e17a18b6bd227ec9a7776f015513c1dac4593e759e88b11dc218d41b86cc2e74a742da646fb440d24a6dc6f286340102b22bc29280b042ded7157396ac

Download Submit
\Users\Admin\AppData\Local\Temp\is-50UQ4.tmp\f3f5301c3beceb928be7f4d2493ca690N.tmp

Filesize
3.0MB

MD5
89444e93ab660171a18745307563c180

SHA1
27adc66f2f7af732c2d0c09b4f12f666cc470109

SHA256
4adb7f683f44c6eaf51754bdceae3ea6ded8f4a49bb1c89ba2fa2c06dcfdcdfb

SHA512
5f4b97d6fb2cff1ca8762fe18766799daebfb4cfc709bf55bb603025b807b8d944f5c753edc83e18c9eee0266b7e1c70aab06069a90d9ab6a087fb4a74b2969c

Download Submit
memory/2316-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2316-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2316-17-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2392-8-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2392-19-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download