869f756fe8a2fdd972995d92536511d8645ff64791dc69e39325234f6813af36

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-09-2024 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

attachement_actiona-3.9.0-win32.exe
Size

27.2MB
MD5

ab74beb2e87901b96379e1b222066b1a
SHA1

92dc15df653af52c98d2b0fbcd5d479c3229f07c
SHA256

869f756fe8a2fdd972995d92536511d8645ff64791dc69e39325234f6813af36
SHA512

c7524823223f85e979a1e0cb5f9c335e2b1ea7edae598002c3675561e1ed7e52b3e4d757d4c7480cfb8e401f5ed1f983de97467519991fb195cb5d0ecbec89c1
SSDEEP

393216:i7sNvNtk5wLkTL7Px9fG2KV8uNCsU65EpN/wNaFiAtkwhZzvnFY+S:DlNySULLGLV8gCHniAX3bnC+S

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2380	attachement_actiona-3.9.0-win32.tmp

Loads dropped DLL 4 IoCs

pid	Process
2256	attachement_actiona-3.9.0-win32.exe
2380	attachement_actiona-3.9.0-win32.tmp
2380	attachement_actiona-3.9.0-win32.tmp
2380	attachement_actiona-3.9.0-win32.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attachement_actiona-3.9.0-win32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attachement_actiona-3.9.0-win32.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2380	attachement_actiona-3.9.0-win32.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2380	2256	attachement_actiona-3.9.0-win32.exe	30
PID 2256 wrote to memory of 2380	2256	attachement_actiona-3.9.0-win32.exe	30
PID 2256 wrote to memory of 2380	2256	attachement_actiona-3.9.0-win32.exe	30
PID 2256 wrote to memory of 2380	2256	attachement_actiona-3.9.0-win32.exe	30
PID 2256 wrote to memory of 2380	2256	attachement_actiona-3.9.0-win32.exe	30
PID 2256 wrote to memory of 2380	2256	attachement_actiona-3.9.0-win32.exe	30
PID 2256 wrote to memory of 2380	2256	attachement_actiona-3.9.0-win32.exe	30

C:\Users\Admin\AppData\Local\Temp\attachement_actiona-3.9.0-win32.exe
"C:\Users\Admin\AppData\Local\Temp\attachement_actiona-3.9.0-win32.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\is-0SIJO.tmp\attachement_actiona-3.9.0-win32.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0SIJO.tmp\attachement_actiona-3.9.0-win32.tmp" /SL5="$4012A,28202024,67072,C:\Users\Admin\AppData\Local\Temp\attachement_actiona-3.9.0-win32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-0SIJO.tmp\attachement_actiona-3.9.0-win32.tmp

Filesize
701KB

MD5
7c9518876aa5a30fb356ab47dd67b9a3

SHA1
6ed9f08a10d99d64483dde70a5d7d2bf6d69b712

SHA256
4890e7a147198fc5b1044f8d4e378ef54a3736478a119cb95ad78e6a79d2a97b

SHA512
56271920e784c1f670975b558631fa40a5b72c6f529fd7c789f9f2c8fccf65e255c1a115fe8a00bbfef6f0862d596105c314a20f5e868f81a203bc9c0a1aef2b

Download Submit
\Users\Admin\AppData\Local\Temp\is-TLJ30.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-TLJ30.tmp\idp.dll

Filesize
208KB

MD5
defd46ead6e1bc077f3a68c1b30f7b5e

SHA1
1fc954f6b23b7a5254fe4b92f98a752b10386e1a

SHA256
7ea855153f3f80d22d39d60af091c6d0d38bb69908ee9ed87aa96aee46f6f1f2

SHA512
96d6b1500fd69473e0e31fd62d07238cac56cf93a1cc298cac9613c9dc8f8a6a6ccc2b697c226501893a064fbef4936afd8b6a089bb4826cdf26f4c847e9e6eb

Download Submit
memory/2256-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2256-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2256-19-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2380-8-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2380-20-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download