8c4510f007c83b1c5c40164579313a180326741e3b7b2baccf5f4aa3fe73a2a9

Analysis

max time kernel
111s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25-08-2024 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0810daeddae3c52328b05ea602768c40N.exe
Size

2.1MB
MD5

0810daeddae3c52328b05ea602768c40
SHA1

de55b2237965756f9f2df31c412ee1c463e4e6a7
SHA256

8c4510f007c83b1c5c40164579313a180326741e3b7b2baccf5f4aa3fe73a2a9
SHA512

c943be7114f58de9c097e4e6e114b8a938fa304f134fc19fb6a4feeda39c77151aee466e8a356dcf22b2ee20a7e6d1cf89b653db126dbf84a9c10820e0672955
SSDEEP

49152:vqefqsnabbfiNhaqw/Ax8GjdkfeKJ84yJCUR7rMI2:SwqsvNh7w/KjdaFJ84oTrM/

Score

6^/10

discovery

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version	0810daeddae3c52328b05ea602768c40N.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast\Version	0810daeddae3c52328b05ea602768c40N.tmp

Executes dropped EXE 1 IoCs

pid	Process
2988	0810daeddae3c52328b05ea602768c40N.tmp

Loads dropped DLL 3 IoCs

pid	Process
600	0810daeddae3c52328b05ea602768c40N.exe
2988	0810daeddae3c52328b05ea602768c40N.tmp
2988	0810daeddae3c52328b05ea602768c40N.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0810daeddae3c52328b05ea602768c40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0810daeddae3c52328b05ea602768c40N.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2988	0810daeddae3c52328b05ea602768c40N.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 600 wrote to memory of 2988	600	0810daeddae3c52328b05ea602768c40N.exe	30
PID 600 wrote to memory of 2988	600	0810daeddae3c52328b05ea602768c40N.exe	30
PID 600 wrote to memory of 2988	600	0810daeddae3c52328b05ea602768c40N.exe	30
PID 600 wrote to memory of 2988	600	0810daeddae3c52328b05ea602768c40N.exe	30
PID 600 wrote to memory of 2988	600	0810daeddae3c52328b05ea602768c40N.exe	30
PID 600 wrote to memory of 2988	600	0810daeddae3c52328b05ea602768c40N.exe	30
PID 600 wrote to memory of 2988	600	0810daeddae3c52328b05ea602768c40N.exe	30

C:\Users\Admin\AppData\Local\Temp\0810daeddae3c52328b05ea602768c40N.exe
"C:\Users\Admin\AppData\Local\Temp\0810daeddae3c52328b05ea602768c40N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:600
- C:\Users\Admin\AppData\Local\Temp\is-VF9RB.tmp\0810daeddae3c52328b05ea602768c40N.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-VF9RB.tmp\0810daeddae3c52328b05ea602768c40N.tmp" /SL5="$30150,1333810,894464,C:\Users\Admin\AppData\Local\Temp\0810daeddae3c52328b05ea602768c40N.exe"
  2⤵
  - Checks for any installed AV software in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-JVQ9V.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-JVQ9V.tmp\idp.dll

Filesize
247KB

MD5
45ead1b24bca99652f354fafaaaaa7b2

SHA1
b9efd6e76e73f173c9afdc0acc3747ba4379def1

SHA256
1bc9d2e167b855ac68f0ad59f039b472544369ad5ac40b300c696cd5caa5c2c6

SHA512
f362e6e17a18b6bd227ec9a7776f015513c1dac4593e759e88b11dc218d41b86cc2e74a742da646fb440d24a6dc6f286340102b22bc29280b042ded7157396ac

Download Submit
\Users\Admin\AppData\Local\Temp\is-VF9RB.tmp\0810daeddae3c52328b05ea602768c40N.tmp

Filesize
3.0MB

MD5
bb7f0f21119db8a3442c01aae3453589

SHA1
14859c3a81f1d8706a531f5d6a93ed0cd0b658a7

SHA256
9f1f4b8fdab69137534e4805b3c2b1516406a9f85ea8885a24e2ed77f8ac4b86

SHA512
ac6110bce59c1a17a12b62690edf128b556c18f0fe04e81a3ed931c875f56cf49be282debe2a720603b5d3114da41473625f1e7eae4d9d08227b4782df478395

Download Submit
memory/600-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/600-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/600-17-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2988-10-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2988-19-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download