c94515d05f38e72ac0532d0a6f435b1ff53c91eb1008d0738aa63adceca32f9b

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ab5bf59d34d131407b8034d52b19d20N.exe
Size

1.6MB
MD5

9ab5bf59d34d131407b8034d52b19d20
SHA1

621339bc7cd7d86dd6c261258c3b97e11df5f66b
SHA256

c94515d05f38e72ac0532d0a6f435b1ff53c91eb1008d0738aa63adceca32f9b
SHA512

d60410b3df1f5f630365082f0277812ecd1c4e2fb15f2a5b0ae39d905144c2a93a3e64a1499dd069a8fa7481b2bad5449eea0fa6dd65b46640b51fc764133255
SSDEEP

24576:gawwKusHwEwS2RGqKKzO6I6h6gEGe/NIsWvMyCShx5a:wwREDRvShv2NuMs5a

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2716	9ab5bf59d34d131407b8034d52b19d20N.tmp

Loads dropped DLL 2 IoCs

pid	Process
2824	9ab5bf59d34d131407b8034d52b19d20N.exe
2716	9ab5bf59d34d131407b8034d52b19d20N.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ab5bf59d34d131407b8034d52b19d20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ab5bf59d34d131407b8034d52b19d20N.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2716	9ab5bf59d34d131407b8034d52b19d20N.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2716	2824	9ab5bf59d34d131407b8034d52b19d20N.exe	30
PID 2824 wrote to memory of 2716	2824	9ab5bf59d34d131407b8034d52b19d20N.exe	30
PID 2824 wrote to memory of 2716	2824	9ab5bf59d34d131407b8034d52b19d20N.exe	30
PID 2824 wrote to memory of 2716	2824	9ab5bf59d34d131407b8034d52b19d20N.exe	30
PID 2824 wrote to memory of 2716	2824	9ab5bf59d34d131407b8034d52b19d20N.exe	30
PID 2824 wrote to memory of 2716	2824	9ab5bf59d34d131407b8034d52b19d20N.exe	30
PID 2824 wrote to memory of 2716	2824	9ab5bf59d34d131407b8034d52b19d20N.exe	30

C:\Users\Admin\AppData\Local\Temp\9ab5bf59d34d131407b8034d52b19d20N.exe
"C:\Users\Admin\AppData\Local\Temp\9ab5bf59d34d131407b8034d52b19d20N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\is-1GA44.tmp\9ab5bf59d34d131407b8034d52b19d20N.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1GA44.tmp\9ab5bf59d34d131407b8034d52b19d20N.tmp" /SL5="$30156,865850,776192,C:\Users\Admin\AppData\Local\Temp\9ab5bf59d34d131407b8034d52b19d20N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-1GA44.tmp\9ab5bf59d34d131407b8034d52b19d20N.tmp

Filesize
3.0MB

MD5
f2dc929c0601bc9c0a3402c7c6eb8752

SHA1
ff8aae36fdb29b16d79809b2ceeb7504729d1800

SHA256
5c1d21b79a5e5e386f2b98b954eb1cad333f5f9d47eb85c9675fba02eccaeeb6

SHA512
19e5a11f6bde788e7524a903939b25a518d4f0a0531b9b940fd40f2e3813e3e25fb1525777dfce8ca6ded3fcf24238bac29a3620cfe09f6aa93cdaa62f01cc8b

Download Submit
\Users\Admin\AppData\Local\Temp\is-7H1JA.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
memory/2716-8-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2716-16-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2824-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/2824-0-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2824-14-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download