fadf5db8b8ad33c09f05cbfbe516e0e4340cf6105ec0c7b457bc865cd6effb0f

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fadf5db8b8ad33c09f05cbfbe516e0e4340cf6105ec0c7b457bc865cd6effb0f.exe
Size

1.6MB
MD5

576878cdea2aac597f23ccc8c33014b0
SHA1

5cec14583ac184a0ed88ec108ee3781199382a5b
SHA256

fadf5db8b8ad33c09f05cbfbe516e0e4340cf6105ec0c7b457bc865cd6effb0f
SHA512

1dde3e96d10839608091d60e07d9a719b8c5b66c72bfdd7190dd8701577d9788cd57d61f62b3b44e879e49eebf1dca2ae4b52371087ad31e870d7e3cb49c73bc
SSDEEP

49152:XYLiZUlUGG3dZynV4oDabuWbDQOcIxJJV:oLiZUJCv+RDabpH

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1772	1A0A0A0A120D156F155C15D0C0E160A0D160E.exe

Loads dropped DLL 2 IoCs

pid	Process
2316	fadf5db8b8ad33c09f05cbfbe516e0e4340cf6105ec0c7b457bc865cd6effb0f.exe
2316	fadf5db8b8ad33c09f05cbfbe516e0e4340cf6105ec0c7b457bc865cd6effb0f.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2316	fadf5db8b8ad33c09f05cbfbe516e0e4340cf6105ec0c7b457bc865cd6effb0f.exe
1772	1A0A0A0A120D156F155C15D0C0E160A0D160E.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fadf5db8b8ad33c09f05cbfbe516e0e4340cf6105ec0c7b457bc865cd6effb0f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1A0A0A0A120D156F155C15D0C0E160A0D160E.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 1772	2316	fadf5db8b8ad33c09f05cbfbe516e0e4340cf6105ec0c7b457bc865cd6effb0f.exe	30
PID 2316 wrote to memory of 1772	2316	fadf5db8b8ad33c09f05cbfbe516e0e4340cf6105ec0c7b457bc865cd6effb0f.exe	30
PID 2316 wrote to memory of 1772	2316	fadf5db8b8ad33c09f05cbfbe516e0e4340cf6105ec0c7b457bc865cd6effb0f.exe	30
PID 2316 wrote to memory of 1772	2316	fadf5db8b8ad33c09f05cbfbe516e0e4340cf6105ec0c7b457bc865cd6effb0f.exe	30

C:\Users\Admin\AppData\Local\Temp\fadf5db8b8ad33c09f05cbfbe516e0e4340cf6105ec0c7b457bc865cd6effb0f.exe
"C:\Users\Admin\AppData\Local\Temp\fadf5db8b8ad33c09f05cbfbe516e0e4340cf6105ec0c7b457bc865cd6effb0f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\1A0A0A0A120D156F155C15D0C0E160A0D160E.exe
  C:\Users\Admin\AppData\Local\Temp\1A0A0A0A120D156F155C15D0C0E160A0D160E.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\1A0A0A0A120D156F155C15D0C0E160A0D160E.exe

Filesize
1.6MB

MD5
77faf34570b3aeb487e957bfe775d7a5

SHA1
41e438f5a67ca00ee7910f92bce75fa6032a1233

SHA256
dfa9cdbbded47388988090110c5f9d99ac3ccbe78729e9003160c25854494e9b

SHA512
ab85bd40b22e7f25ca68d87fd6e7a23bbda69018978d887353b978c5ca0cbd7d2f49a5a7a06bc72ba0bee2a6a45a10f6d0435a8139a690d960f1b59ce994ad30

Download Submit
memory/1772-14-0x0000000000400000-0x00000000005AC2B4-memory.dmp

Filesize
1.7MB

Download
memory/1772-16-0x0000000000400000-0x00000000005AC2B4-memory.dmp

Filesize
1.7MB

Download
memory/1772-15-0x0000000000400000-0x00000000005AC2B4-memory.dmp

Filesize
1.7MB

Download
memory/1772-17-0x0000000000400000-0x00000000005AC2B4-memory.dmp

Filesize
1.7MB

Download
memory/2316-0-0x0000000000400000-0x00000000005AC2B4-memory.dmp

Filesize
1.7MB

Download
memory/2316-1-0x0000000000401000-0x000000000041F000-memory.dmp

Filesize
120KB

Download
memory/2316-2-0x0000000000400000-0x00000000005AC2B4-memory.dmp

Filesize
1.7MB

Download
memory/2316-12-0x0000000000400000-0x00000000005AC2B4-memory.dmp

Filesize
1.7MB

Download
memory/2316-11-0x0000000002120000-0x00000000022CD000-memory.dmp

Filesize
1.7MB

Download