3bf0cfbf51377667d49445b9211901f20b3401f7b77880030b59c617ae79e9f5

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 14:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3bf0cfbf51377667d49445b9211901f20b3401f7b77880030b59c617ae79e9f5.exe
Size

899KB
MD5

dab5cba0bae665d73595f61cce68f5d4
SHA1

e06eeb6fb60b4ee44812c8efdbfe882b154cb9ca
SHA256

3bf0cfbf51377667d49445b9211901f20b3401f7b77880030b59c617ae79e9f5
SHA512

7318da28633ff52e4103677a1168a9f7365631c81de6de74722ae075267b89edf791c2a8f132cab1e4bceb65b55efab979c3181ce6c68540cf16cf4c640d995b
SSDEEP

24576:jGvrY3tcr1R2ydMQULhbeeE7xoD46mJvC0wErDpGvrY3tcr1R2ydMQULhbeeE7xe:jLN+GE3pLN+U

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\msfsa = "C:\\windows\\tsay.exe"	3bf0cfbf51377667d49445b9211901f20b3401f7b77880030b59c617ae79e9f5.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\tsay.exe	3bf0cfbf51377667d49445b9211901f20b3401f7b77880030b59c617ae79e9f5.exe
File opened for modification	C:\windows\tsay.exe	3bf0cfbf51377667d49445b9211901f20b3401f7b77880030b59c617ae79e9f5.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3bf0cfbf51377667d49445b9211901f20b3401f7b77880030b59c617ae79e9f5.exe

C:\Users\Admin\AppData\Local\Temp\3bf0cfbf51377667d49445b9211901f20b3401f7b77880030b59c617ae79e9f5.exe
"C:\Users\Admin\AppData\Local\Temp\3bf0cfbf51377667d49445b9211901f20b3401f7b77880030b59c617ae79e9f5.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2496-0-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2496-4-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2496-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads