f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aa

Analysis

max time kernel
15s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
Size

299KB
MD5

cb9f01bf2c87d420400d81b50ef2ef10
SHA1

6696f4617d5c7b21f79c818955c265ac85524877
SHA256

f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aa
SHA512

18d814e022a7670e8e0891d8ac7150d1c5e6ab3cd89c624147dc31c08437a062ceb4d314344c6628e2966e79d00340946b3a89a89047b132eeba0034e5ab6dbd
SSDEEP

6144:L+k5XLaJbcplKJmxOYO3rLPFE2NJOdK/wmj:t+JbMJqfFE27P9j

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2780	explorer.exe
2676	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
1844	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
2780	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2372 set thread context of 1844	2372	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe	31
PID 2780 set thread context of 2676	2780	explorer.exe	33

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2372	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
1844	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
1844	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
1844	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
1844	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
1844	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
1844	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
1844	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
1844	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
1844	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
1844	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
1844	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
1844	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
1844	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
1844	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
1844	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
1844	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
1844	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
2780	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1844	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
1844	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2336	2372	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe	30
PID 2372 wrote to memory of 2336	2372	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe	30
PID 2372 wrote to memory of 2336	2372	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe	30
PID 2372 wrote to memory of 2336	2372	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe	30
PID 2372 wrote to memory of 1844	2372	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe	31
PID 2372 wrote to memory of 1844	2372	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe	31
PID 2372 wrote to memory of 1844	2372	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe	31
PID 2372 wrote to memory of 1844	2372	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe	31
PID 2372 wrote to memory of 1844	2372	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe	31
PID 2372 wrote to memory of 1844	2372	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe	31
PID 2372 wrote to memory of 1844	2372	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe	31
PID 2372 wrote to memory of 1844	2372	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe	31
PID 2372 wrote to memory of 1844	2372	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe	31
PID 2372 wrote to memory of 1844	2372	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe	31
PID 2372 wrote to memory of 1844	2372	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe	31
PID 2372 wrote to memory of 1844	2372	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe	31
PID 2372 wrote to memory of 1844	2372	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe	31
PID 1844 wrote to memory of 2780	1844	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe	32
PID 1844 wrote to memory of 2780	1844	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe	32
PID 1844 wrote to memory of 2780	1844	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe	32
PID 1844 wrote to memory of 2780	1844	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe	32
PID 2372 wrote to memory of 1844	2372	NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe	31
PID 2780 wrote to memory of 2676	2780	explorer.exe	33
PID 2780 wrote to memory of 2676	2780	explorer.exe	33
PID 2780 wrote to memory of 2676	2780	explorer.exe	33
PID 2780 wrote to memory of 2676	2780	explorer.exe	33
PID 2780 wrote to memory of 2676	2780	explorer.exe	33
PID 2780 wrote to memory of 2676	2780	explorer.exe	33
PID 2780 wrote to memory of 2676	2780	explorer.exe	33
PID 2780 wrote to memory of 2676	2780	explorer.exe	33
PID 2780 wrote to memory of 2676	2780	explorer.exe	33
PID 2780 wrote to memory of 2676	2780	explorer.exe	33
PID 2780 wrote to memory of 2676	2780	explorer.exe	33
PID 2780 wrote to memory of 2676	2780	explorer.exe	33

C:\Users\Admin\AppData\Local\Temp\NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
"C:\Users\Admin\AppData\Local\Temp\NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
  C:\Users\Admin\AppData\Local\Temp\NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
  2⤵
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
  C:\Users\Admin\AppData\Local\Temp\NoThreatDetected-f067799255c37ab7b542d0e047e642aa8d5045026fae8d9b2661f5d9c8f3a1aaN.exe
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1844
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      4⤵
      Executes dropped EXE
      PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Resources\Themes\explorer.exe

Filesize
299KB

MD5
2bb0193efa91c4061a01927df7f84371

SHA1
904eb42e059c076ba602e9d1070d7e3a98422b96

SHA256
4967418223bf94cc7e7e4f914a3a0e096af0a46247ae35bab40cf9599b0c4299

SHA512
8895f54201f18145751700d3dd7cef159926e87a2b7a6f13ff701a48ff7d4a6ecaac65e2a80a576200f969212a4b07466900573ad34afb16f2dc13f054738fef

Download Submit
memory/1844-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1844-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1844-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1844-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1844-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1844-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1844-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1844-1-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/1844-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1844-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1844-46-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2372-0-0x0000000000140000-0x0000000000145000-memory.dmp

Filesize
20KB

Download
memory/2676-35-0x0000000000400000-0x000000000101C000-memory.dmp

Filesize
12.1MB

Download
memory/2676-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2676-34-0x0000000000400000-0x000000000101C000-memory.dmp

Filesize
12.1MB

Download
memory/2676-39-0x0000000000400000-0x000000000101C000-memory.dmp

Filesize
12.1MB

Download
memory/2676-36-0x0000000000400000-0x000000000101C000-memory.dmp

Filesize
12.1MB

Download
memory/2676-43-0x0000000000400000-0x000000000101C000-memory.dmp

Filesize
12.1MB

Download
memory/2676-38-0x0000000000400000-0x000000000101C000-memory.dmp

Filesize
12.1MB

Download