f99f6bec0e70174987064d8c3b962c228d2f69c75ca39a8ebff238f696489760

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-09-2024 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f99f6bec0e70174987064d8c3b962c228d2f69c75ca39a8ebff238f696489760.exe
Size

430KB
MD5

843ada62b385071f0770466fcdc1e3bc
SHA1

ba64ee4ca4bb76a88304d98fbec077c1ff8b01dc
SHA256

f99f6bec0e70174987064d8c3b962c228d2f69c75ca39a8ebff238f696489760
SHA512

9f3ef5cdf8268c4bafb50615de754550fc9f030ceb9541dfa06081893a85ceb4c5abced482d723ff75dacc2324627a37991c4f9bdf2900c673fe3082ab4b910d
SSDEEP

12288:p4tnf0sfAfuxVDch+TwyX3McvZPKWAgORb0tARm19p:gH4G/DKcHlp

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f99f6bec0e70174987064d8c3b962c228d2f69c75ca39a8ebff238f696489760.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2548	f99f6bec0e70174987064d8c3b962c228d2f69c75ca39a8ebff238f696489760.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	f99f6bec0e70174987064d8c3b962c228d2f69c75ca39a8ebff238f696489760.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2548	f99f6bec0e70174987064d8c3b962c228d2f69c75ca39a8ebff238f696489760.exe

C:\Users\Admin\AppData\Local\Temp\f99f6bec0e70174987064d8c3b962c228d2f69c75ca39a8ebff238f696489760.exe
"C:\Users\Admin\AppData\Local\Temp\f99f6bec0e70174987064d8c3b962c228d2f69c75ca39a8ebff238f696489760.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\systemSC.ini

Filesize
166B

MD5
810a632311d0db005a5d5f0be33870b2

SHA1
691553b10b15e8d6d407b33464d1d3f57b4ce9c8

SHA256
ed72225f1a46a95dc812b2cba4225e8812cb99d91aec1525b8c9d37d62d3de1e

SHA512
367058be8eaaa738f1d7525578f1e810d5f85086ad9d3fdb7984ada8154ae32e4811a33d804de54f79013b4a579e075dc8322b1eb9ea7e5dd343d7c5e8bbc387

Download Submit
memory/2548-0-0x00000000745FE000-0x00000000745FF000-memory.dmp

Filesize
4KB

Download
memory/2548-1-0x0000000000360000-0x00000000003D2000-memory.dmp

Filesize
456KB

Download
memory/2548-2-0x00000000003F0000-0x0000000000424000-memory.dmp

Filesize
208KB

Download
memory/2548-3-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/2548-5-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/2548-13-0x00000000745FE000-0x00000000745FF000-memory.dmp

Filesize
4KB

Download
memory/2548-14-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download