ff727df62c764a2e45c2aa054a169487436d55fcf2d87a9176ecb88b8a11f169

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe
Size

21.6MB
MD5

f627f381233039bae67494833c9c034e
SHA1

a70f577fef3a7bd4c59d7c52a273e5a9444c0a3a
SHA256

decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6
SHA512

597b7c6c3b8486f2bdab7d8447be87d861dc0fc918615b061bb8888f4b69d5732eea2b8b682e32c67fcb264cee88829a222e75d4e42e542090ab9613ccb90a25
SSDEEP

393216:yt1aJNdbPmYRQK7+8KobA50pf0P1y1wwZmUh/lbTtJQlM5GB46LY8kX:yfidbrRQOKoXpfU1CwwZmElP0M5GWhrX

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
844	decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 844	3032	decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe	31
PID 3032 wrote to memory of 844	3032	decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe	31
PID 3032 wrote to memory of 844	3032	decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe	31
PID 3032 wrote to memory of 844	3032	decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe	31

C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe
"C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe
  "C:\Users\Admin\AppData\Local\Temp\decc924c5d9724166e627622abfe52636a28c89253307aa88966c70b77a3e1a6.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI30322\python39.dll

Filesize
4.2MB

MD5
2a9c5db70c6906571f2ca3a07521baa2

SHA1
765fa27bbee6a02b20b14b2b78c92a880e6627e5

SHA256
c69ce89b0487d86a63b64951207781f8051282afde67b20d3b8374c1a067f611

SHA512
fa4a677eaae2d258ac4f083a4e7009d985523b964ada93f53dc399a88c14970c7be2d2f39a7b38a922b58d134df2ede954554dcd00a4895e4273161867acac53

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30322\wheel-0.43.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit