7f4019b7c194d8c672cc75e22d2abf442740f23a3537cbedf3e00bdbe9664adf

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17811455469c577edee883bb3d68f830N.exe
Size

1.6MB
MD5

17811455469c577edee883bb3d68f830
SHA1

3447a3d34faf9357567a498d6b1f5613aa30c74f
SHA256

7f4019b7c194d8c672cc75e22d2abf442740f23a3537cbedf3e00bdbe9664adf
SHA512

754d54834c3e186edee5fada42138122bfc06c070aadd4d5cc85e4ad2cf3db449c6a9f6fe7087c896ee2094eb96d84e310b76f8b3adb6dc6c3d396a59ce85e76
SSDEEP

24576:gawwKusHwEwS2HGqKqzO6I6h6gEGe/NIsWvMyCShxAq:wwREDLnShv2NuMsAq

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2704	17811455469c577edee883bb3d68f830N.tmp

Loads dropped DLL 2 IoCs

pid	Process
2668	17811455469c577edee883bb3d68f830N.exe
2704	17811455469c577edee883bb3d68f830N.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17811455469c577edee883bb3d68f830N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17811455469c577edee883bb3d68f830N.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2704	17811455469c577edee883bb3d68f830N.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2704	2668	17811455469c577edee883bb3d68f830N.exe	30
PID 2668 wrote to memory of 2704	2668	17811455469c577edee883bb3d68f830N.exe	30
PID 2668 wrote to memory of 2704	2668	17811455469c577edee883bb3d68f830N.exe	30
PID 2668 wrote to memory of 2704	2668	17811455469c577edee883bb3d68f830N.exe	30
PID 2668 wrote to memory of 2704	2668	17811455469c577edee883bb3d68f830N.exe	30
PID 2668 wrote to memory of 2704	2668	17811455469c577edee883bb3d68f830N.exe	30
PID 2668 wrote to memory of 2704	2668	17811455469c577edee883bb3d68f830N.exe	30

C:\Users\Admin\AppData\Local\Temp\17811455469c577edee883bb3d68f830N.exe
"C:\Users\Admin\AppData\Local\Temp\17811455469c577edee883bb3d68f830N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\is-3TL20.tmp\17811455469c577edee883bb3d68f830N.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3TL20.tmp\17811455469c577edee883bb3d68f830N.tmp" /SL5="$4010A,865850,776192,C:\Users\Admin\AppData\Local\Temp\17811455469c577edee883bb3d68f830N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-3TL20.tmp\17811455469c577edee883bb3d68f830N.tmp

Filesize
3.0MB

MD5
39b9afed3d67a7f09ea19e981173732f

SHA1
1a56d1e5c283e4c07ea9f9962c6f82754e15dfa1

SHA256
6455e03e85579a5e642852b09eec90b733ac491f50c2bf25224e411a22694513

SHA512
32e6702502aed6f14b3d7b866da31a82a5aea0c553617797ee51142cb3b308c183ec0df3ceb9cc795c7a4c01ba62bafe836cd206ad2fc5fd02d265591ba27230

Download Submit
\Users\Admin\AppData\Local\Temp\is-HFNI4.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
memory/2668-0-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2668-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/2668-14-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2704-9-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2704-15-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download