Overview

overview

7

Static

static

3

1e05962fe6...4N.exe

windows7-x64

7

1e05962fe6...4N.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 06:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe

  • Size

    9.9MB

  • MD5

    8b333d82d155fa98d1673371a7518a90

  • SHA1

    f8fbf6b8cfa81226badd460b5758a974b63719dd

  • SHA256

    1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734

  • SHA512

    1a6c4dccad3852feed08cb7eaf10149889e2619450a0873e8e33b0e26134fd993bd10ec736d3496a62ebd420767273690a4443c721e1a2d0bc58154fe175acad

  • SSDEEP

    196608:7HqnhgJuP3LAhCiVXCWeZLsA1oMuWr45hrr2P:US+LVReJWGhrr2P

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 16 IoCs
  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 14 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 15 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2104
    • \??\c:\program files (x86)\common files\system\ja-jp\operatingwindows6.1.7600.16385.exe
      "c:\program files (x86)\common files\system\ja-jp\operatingwindows6.1.7600.16385.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1720
    • \??\c:\program files (x86)\common files\microsoft shared\equation\1033\microsofteeintl.exe
      "c:\program files (x86)\common files\microsoft shared\equation\1033\microsofteeintl.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1772
    • \??\c:\program files (x86)\common files\system\ole db\it-it\msdasqlrwindows.exe
      "c:\program files (x86)\common files\system\ole db\it-it\msdasqlrwindows.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1484
    • \??\c:\program files (x86)\adobe\reader 9.0\esl\acrobatadobe.exe
      "c:\program files (x86)\adobe\reader 9.0\esl\acrobatadobe.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2132

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Adobe\Reader 9.0\Esl\RCX67EA.tmp
    Filesize

    9.9MB

    MD5

    9300461b7f7446c16c68edd4a5cf40df

    SHA1

    f489b7c0743ad702103966a1f1b70b3db8941b3a

    SHA256

    b0552644a47c92b9a7ce1da6caf34ca1d62215b393aba179b45529247e81b850

    SHA512

    119b7d64cb2c23ec0895a23f45c905d641adc8cc2574bf656fc3ca1bccc954564c2ae88bd3c5435962f127197d2c7150c3e2264cd2a37f4cc918dfa427d57e61

    Download Submit

  • C:\Program Files (x86)\Common Files\System\ja-JP\OperatingWindows6.1.7600.16385.exe
    Filesize

    9.9MB

    MD5

    58f7398d2803ea99485728d45cc50bc9

    SHA1

    63e91bcb6195397851937ff9117baed34ab4250d

    SHA256

    45e93f790cfb68572cfde40d7ac2c2796e314c8af582f12fe35055f983baf1d6

    SHA512

    ac2884674a8d87aa218e040f84349064b659a67fbea707c576934734980cbfc79873aa9e364dc9b1db44a017adfa94487f2025d33c8165fd59ae9c73420baa6c

    Download Submit

  • C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\MicrosoftEEINTL.exe
    Filesize

    9.9MB

    MD5

    8b333d82d155fa98d1673371a7518a90

    SHA1

    f8fbf6b8cfa81226badd460b5758a974b63719dd

    SHA256

    1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734

    SHA512

    1a6c4dccad3852feed08cb7eaf10149889e2619450a0873e8e33b0e26134fd993bd10ec736d3496a62ebd420767273690a4443c721e1a2d0bc58154fe175acad

    Download Submit