7397593ee8cd6d9f710d48f23ca68975018eb5ec7c586e096a0375537368998e

Analysis

max time kernel
32s
max time network
62s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01-09-2024 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02df09f9531f1929888f34db93875880N.exe
Size

459KB
MD5

02df09f9531f1929888f34db93875880
SHA1

ab14f4f66b9eb038e9fb2debda554c5fb053cda5
SHA256

7397593ee8cd6d9f710d48f23ca68975018eb5ec7c586e096a0375537368998e
SHA512

2ab929fee47e6c694d0a987e14a4f3e63a53af88b4a2568bcee5e18d720ea4c7426fe8bb14cbdccbcf52550ee794486562fc24a380eac8e8e91acd2f59b106a2
SSDEEP

12288:W3ms2m+WEaR8I+tXmTU6oGo7dBOTOLJcM:WBzzRdxTFoGohUi

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
812	02df09f9531f1929888f34db93875880N.exe

Executes dropped EXE 1 IoCs

pid	Process
812	02df09f9531f1929888f34db93875880N.exe

Loads dropped DLL 1 IoCs

pid	Process
2172	02df09f9531f1929888f34db93875880N.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/812-24-0x0000000000400000-0x00000000004E0000-memory.dmp	upx
behavioral1/files/0x000c000000012243-17.dat	upx
behavioral1/memory/2172-0-0x0000000000400000-0x00000000004E0000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02df09f9531f1929888f34db93875880N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02df09f9531f1929888f34db93875880N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2172	02df09f9531f1929888f34db93875880N.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2172	02df09f9531f1929888f34db93875880N.exe
812	02df09f9531f1929888f34db93875880N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 812	2172	02df09f9531f1929888f34db93875880N.exe	30
PID 2172 wrote to memory of 812	2172	02df09f9531f1929888f34db93875880N.exe	30
PID 2172 wrote to memory of 812	2172	02df09f9531f1929888f34db93875880N.exe	30
PID 2172 wrote to memory of 812	2172	02df09f9531f1929888f34db93875880N.exe	30

C:\Users\Admin\AppData\Local\Temp\02df09f9531f1929888f34db93875880N.exe
"C:\Users\Admin\AppData\Local\Temp\02df09f9531f1929888f34db93875880N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\02df09f9531f1929888f34db93875880N.exe
  C:\Users\Admin\AppData\Local\Temp\02df09f9531f1929888f34db93875880N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\02df09f9531f1929888f34db93875880N.exe

Filesize
459KB

MD5
51e5ec273b44d948888463e76daece2a

SHA1
062af2cb0dd0509991c79c4fc5ba5b81e68660dc

SHA256
4e34cc989498a24d3f8be38e41d2e0e1ba953ce7d864bcc7530f2c2d2c26559b

SHA512
3c92774b1a0d7b2360e4a345015ae3cfe7ebcd008f759b59bf44d6a6760be8b1e54d8f7c15ddac1bf221f5e01022060876c720e6fb5df2313d03ed25ca1d9f26

Download Submit
memory/812-25-0x0000000000210000-0x0000000000241000-memory.dmp

Filesize
196KB

Download
memory/812-24-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/812-42-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2172-16-0x0000000022D30000-0x0000000022E10000-memory.dmp

Filesize
896KB

Download
memory/2172-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2172-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2172-1-0x0000000000160000-0x0000000000191000-memory.dmp

Filesize
196KB

Download
memory/2172-0-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download