f5618d6d3b9771ed1a15a60f0a42d526d08ecb024e6d0fbae9db99a670678afa

Analysis

max time kernel
33s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5618d6d3b9771ed1a15a60f0a42d526d08ecb024e6d0fbae9db99a670678afaN.exe
Size

1.4MB
MD5

3d6de283a0f489c274fa0d6fc049eac0
SHA1

e36196d9afc3072d6c42391a688aad8b30c0403e
SHA256

f5618d6d3b9771ed1a15a60f0a42d526d08ecb024e6d0fbae9db99a670678afa
SHA512

641afb4cd6132d8fe5cd74a6f611814df17587d4b421c24334bc38b7e0df89296a6059838c942e70546d91edf50836813264cea8c64ee771cb4eac80468cd129
SSDEEP

24576:J8p6N4PnGGatN5+cNrjrJHQNM5/WVyNppRXEXNDPENlYj+lb+UEcmJLknT1f2OX9:eptXWv+83rJHQO5JprXTNujFc8a1f2ON

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5618d6d3b9771ed1a15a60f0a42d526d08ecb024e6d0fbae9db99a670678afaN.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2632	javaw.exe
2632	javaw.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2632	3004	f5618d6d3b9771ed1a15a60f0a42d526d08ecb024e6d0fbae9db99a670678afaN.exe	30
PID 3004 wrote to memory of 2632	3004	f5618d6d3b9771ed1a15a60f0a42d526d08ecb024e6d0fbae9db99a670678afaN.exe	30
PID 3004 wrote to memory of 2632	3004	f5618d6d3b9771ed1a15a60f0a42d526d08ecb024e6d0fbae9db99a670678afaN.exe	30
PID 3004 wrote to memory of 2632	3004	f5618d6d3b9771ed1a15a60f0a42d526d08ecb024e6d0fbae9db99a670678afaN.exe	30

C:\Users\Admin\AppData\Local\Temp\f5618d6d3b9771ed1a15a60f0a42d526d08ecb024e6d0fbae9db99a670678afaN.exe
"C:\Users\Admin\AppData\Local\Temp\f5618d6d3b9771ed1a15a60f0a42d526d08ecb024e6d0fbae9db99a670678afaN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\f5618d6d3b9771ed1a15a60f0a42d526d08ecb024e6d0fbae9db99a670678afaN.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2632-3-0x0000000002770000-0x00000000029E0000-memory.dmp

Filesize
2.4MB

Download
memory/2632-15-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download
memory/2632-14-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download
memory/2632-20-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2632-23-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2632-26-0x0000000002770000-0x00000000029E0000-memory.dmp

Filesize
2.4MB

Download
memory/2632-27-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download
memory/2632-28-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download
memory/3004-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download