1dea3f49d69a513d58993d905ab223910e999f8171e6d34ce710258e741661af

Analysis

max time kernel
12s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Create_Installer_PLC0000037_2025_English_WIN64.exe
Size

14.8MB
MD5

c2c736c0bdffbb3b19465de129b186db
SHA1

d38edf985ead6f19bc8b962a336f5e9052760296
SHA256

1dea3f49d69a513d58993d905ab223910e999f8171e6d34ce710258e741661af
SHA512

8ba0ff2c1796a3af0233fea23681abe2e4a8cb460cfeb3c6fd6ad641f5bcf0a75970cd3c3559b3638765f9b920dad2cbfe92d43cf793b3c25f1a8ec51e5ae79e
SSDEEP

393216:cOvALyl+2v22kEzDAblO+w5Xfo5SCIBqL6ezzPv0v5p:sLKzv22kEzDs6fo5CqL3H0v5p

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1556	AdOdisDeployTool.exe

Loads dropped DLL 3 IoCs

pid	Process
1568	Create_Installer_PLC0000037_2025_English_WIN64.exe
1556	AdOdisDeployTool.exe
1556	AdOdisDeployTool.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Create_Installer_PLC0000037_2025_English_WIN64.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 1556	1568	Create_Installer_PLC0000037_2025_English_WIN64.exe	29
PID 1568 wrote to memory of 1556	1568	Create_Installer_PLC0000037_2025_English_WIN64.exe	29
PID 1568 wrote to memory of 1556	1568	Create_Installer_PLC0000037_2025_English_WIN64.exe	29
PID 1568 wrote to memory of 1556	1568	Create_Installer_PLC0000037_2025_English_WIN64.exe	29

C:\Users\Admin\AppData\Local\Temp\Create_Installer_PLC0000037_2025_English_WIN64.exe
"C:\Users\Admin\AppData\Local\Temp\Create_Installer_PLC0000037_2025_English_WIN64.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Users\Admin\AppData\Local\Temp\7zS1D31.tmp\AdOdisDeployTool.exe
  .\AdOdisDeployTool.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS1D31.tmp\Qt6Gui.dll

Filesize
7.7MB

MD5
0a287ac9523cbd9ba2623fc512bb1a78

SHA1
9b15f289bed6332c840da4b2231a6fd349640318

SHA256
320bc5d3f3f192573056ef3002e8ae4803d548b1601bf9664d9819d817668678

SHA512
aa9cbeeabd523169b2a8dd85a1c816ff401be717e774b095a4cb389675b536f07ecd3e1aa504fe0471d0305f34099d3a0f5d357bd5114cf065fcb1aeee43c31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1D31.tmp\Qt6Widgets.dll

Filesize
5.8MB

MD5
8617a435880df59c615586c5e2c80a57

SHA1
4624f424aff286bb2d1dfc1951c3667fb2a1c08c

SHA256
e1bb1e9438a3c7f92924e5c7f63c45eb606c2af0f39cf5fe05e18130e9897da9

SHA512
10cf76d9d07917a118195601e71ba3cc7ccb83d34eee2e4436d644dc38672c728603b2487b2b3f5fe3a766c309c0d2aa111e31441b13d3ac0649def0a00502e2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1D31.tmp\AdOdisDeployTool.exe

Filesize
2.1MB

MD5
2583cff0e6ee7729cbdc39e526a7f0a3

SHA1
2bc293deffdd71fcf7065bd388114961cfe05ac5

SHA256
611666eea0126134287054d426ed8ade5d13884c0a17c7253d72ff6497cf8457

SHA512
bdaf3bdab816b2e6e8c8f287519c6c961bc4e3f9be9afc52ef407b7d1aacd37c3a7889b2dcf559d784cf6fb869ce708a6a269d56a81f7ac9de1bc4bda8f66dd3

Download Submit