ee778d4170709b927fdc888c84af0e93f5dc9e7d46288d9b58b9ac8e0bae64ba

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee778d4170709b927fdc888c84af0e93f5dc9e7d46288d9b58b9ac8e0bae64ba.exe
Size

5.1MB
MD5

478d6886bb188a47255c4d56b88a407f
SHA1

e2753b8b4b665e7373a4faea2ba38793271a151c
SHA256

ee778d4170709b927fdc888c84af0e93f5dc9e7d46288d9b58b9ac8e0bae64ba
SHA512

92bfb675445b52bcbac52f3695d9e84245775bf53a4b49f720bd3d5466eb8c7f37bfcaab112f90c269408cd5f9d0c0b7260458a3caec4141e1037edafd39c9ef
SSDEEP

98304:EIZcB98hKgkvc8veTP+hU7oiOcQ1GwvZGVrlyKGEDC:YHx9vjKGEDC

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3056	ee778d4170709b927fdc888c84af0e93f5dc9e7d46288d9b58b9ac8e0bae64ba.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2524	3056	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee778d4170709b927fdc888c84af0e93f5dc9e7d46288d9b58b9ac8e0bae64ba.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3056	ee778d4170709b927fdc888c84af0e93f5dc9e7d46288d9b58b9ac8e0bae64ba.exe
3056	ee778d4170709b927fdc888c84af0e93f5dc9e7d46288d9b58b9ac8e0bae64ba.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2524	3056	ee778d4170709b927fdc888c84af0e93f5dc9e7d46288d9b58b9ac8e0bae64ba.exe	31
PID 3056 wrote to memory of 2524	3056	ee778d4170709b927fdc888c84af0e93f5dc9e7d46288d9b58b9ac8e0bae64ba.exe	31
PID 3056 wrote to memory of 2524	3056	ee778d4170709b927fdc888c84af0e93f5dc9e7d46288d9b58b9ac8e0bae64ba.exe	31
PID 3056 wrote to memory of 2524	3056	ee778d4170709b927fdc888c84af0e93f5dc9e7d46288d9b58b9ac8e0bae64ba.exe	31

C:\Users\Admin\AppData\Local\Temp\ee778d4170709b927fdc888c84af0e93f5dc9e7d46288d9b58b9ac8e0bae64ba.exe
"C:\Users\Admin\AppData\Local\Temp\ee778d4170709b927fdc888c84af0e93f5dc9e7d46288d9b58b9ac8e0bae64ba.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 352
  2⤵
  - Program crash
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\libcurl.dll

Filesize
2.5MB

MD5
298f5812023bab65ee23d13ee9489a6e

SHA1
71e9d7f205e5e7af6907c539c77a3aeea971692f

SHA256
fe100d35b034c15ae3b74379f4eedd321c8e4b84fe666b54ee924ca2a8bdca6e

SHA512
217258fb7728f61199f913fb98c894077c12a124e1596d1c6c7cfc065d4d2a6e1e03ad950c3321e2a8dcd997fb5c9524f98530db4bcb39f9914ecb5ff0e22dbd

Download Submit