0dd816a859e81b7e618fcc2f57458ad34aca03fcb7dfb128664c069266092877

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 01:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

eda24e34688c89387dea934beffd0ba0N.exe
Size

410KB
MD5

eda24e34688c89387dea934beffd0ba0
SHA1

cd7439c1b2b118c19110131369e4e8bc4a9f2a77
SHA256

0dd816a859e81b7e618fcc2f57458ad34aca03fcb7dfb128664c069266092877
SHA512

8b7604e8f51d8951d034c01197a6c8f8132ac1b5cb209468902127b944be21d26b300aa417c6c07b894ba52dc9869c4736397f0af1b216729d29a27e70354789
SSDEEP

6144:D5FrtlrIiswtAyxmbeoYRMHpeW+5GZoNhHCUh4wNWdVo5:DHrtqi3trxg4uHJXZoNhHC84/dA

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2520	Sysceaminwjo.exe

Loads dropped DLL 2 IoCs

pid	Process
2084	eda24e34688c89387dea934beffd0ba0N.exe
2084	eda24e34688c89387dea934beffd0ba0N.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2084-0-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/files/0x000800000001660d-7.dat	upx
behavioral1/memory/2520-17-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2084-18-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eda24e34688c89387dea934beffd0ba0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe
2520	Sysceaminwjo.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2520	2084	eda24e34688c89387dea934beffd0ba0N.exe	31
PID 2084 wrote to memory of 2520	2084	eda24e34688c89387dea934beffd0ba0N.exe	31
PID 2084 wrote to memory of 2520	2084	eda24e34688c89387dea934beffd0ba0N.exe	31
PID 2084 wrote to memory of 2520	2084	eda24e34688c89387dea934beffd0ba0N.exe	31

C:\Users\Admin\AppData\Local\Temp\eda24e34688c89387dea934beffd0ba0N.exe
"C:\Users\Admin\AppData\Local\Temp\eda24e34688c89387dea934beffd0ba0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\Sysceaminwjo.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceaminwjo.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
71B

MD5
4f85a511d1aa61bc9df407b3963bcafa

SHA1
938dd69ae256f320f4c75ab64d972b52eb48ed92

SHA256
d627ffd6e9faca74588177b2d6220fe89c16a02b6e1b5cd9de42f720f0a810bc

SHA512
0aa5c9110046ab169b9a385583536e8661589b6b4fc34903a9b290fb7c94d1243057f3d2376b41253468b92fa28a8cd1344cb19bf7fbc5c2af9e50ba64195879

Download Submit
\Users\Admin\AppData\Local\Temp\Sysceaminwjo.exe

Filesize
410KB

MD5
115740046f48c0cf83210bce6c434e2c

SHA1
1ff364474161ee9479659480efe5f2324f2ea9d0

SHA256
ca7a14724841fc87db385f17cfe4e155b9f2da3ebcbb4302baa11cdaf3b0dfb6

SHA512
bf1cc224dad1ac57fcf6de57980c768e54f91189dfa1808607238aa7d29a4a2d04a1d2e9448dc24322b5ee578cdfb0499efea39b004ba3abe576cc166e8fafce

Download Submit
memory/2084-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2084-14-0x0000000003890000-0x00000000038EB000-memory.dmp

Filesize
364KB

Download
memory/2084-18-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2520-17-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download