791882f2dc22713c806dede8406e1ce219bfc79824fd8ec7e370277e7ed47837

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Adopt Me Script.exe
Size

1.6MB
MD5

30002176d8f6773689b5edde812a066f
SHA1

10b655f1c879f03fb797f1551f9860b94aa6188b
SHA256

bd2ee92415462e4ea8eb07e52fabb47098c2234f0f7f7ef440c31432144e581c
SHA512

2ae8676bfd507ee3a40fe27c241c8503b68a1e25e453a8e272e68ef18f5afc8e90430f2b3bc81f51b8e191eb0bb1a1f056eeb3f26ac291f14aa0568c96ff3e27
SSDEEP

24576:gawwKusHwEwS2DGqK+IzO6I6h6gEGe/NIsWvMyCShx+F:wwREDT8HShv2NuMs+F

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2016	Adopt Me Script.tmp

Loads dropped DLL 2 IoCs

pid	Process
1700	Adopt Me Script.exe
2016	Adopt Me Script.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adopt Me Script.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adopt Me Script.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2016	1700	Adopt Me Script.exe	30
PID 1700 wrote to memory of 2016	1700	Adopt Me Script.exe	30
PID 1700 wrote to memory of 2016	1700	Adopt Me Script.exe	30
PID 1700 wrote to memory of 2016	1700	Adopt Me Script.exe	30
PID 1700 wrote to memory of 2016	1700	Adopt Me Script.exe	30
PID 1700 wrote to memory of 2016	1700	Adopt Me Script.exe	30
PID 1700 wrote to memory of 2016	1700	Adopt Me Script.exe	30

C:\Users\Admin\AppData\Local\Temp\Adopt Me Script.exe
"C:\Users\Admin\AppData\Local\Temp\Adopt Me Script.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\is-RDMMG.tmp\Adopt Me Script.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RDMMG.tmp\Adopt Me Script.tmp" /SL5="$40016,865850,776192,C:\Users\Admin\AppData\Local\Temp\Adopt Me Script.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-RB0UC.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
\Users\Admin\AppData\Local\Temp\is-RDMMG.tmp\Adopt Me Script.tmp

Filesize
3.0MB

MD5
2a1c11173b4ccf107828943ef0576a98

SHA1
e1f85aea047ef7a1e9686ca7de8e5a8daae0318d

SHA256
208a7a2f6573dcc8c76bd04920939f1f59f90d6326eff331d46a4367d2571d1c

SHA512
5ddc146846ee65379eef4f670cfeecc4ec7c4b274ea703e0cd30e11805ae45b0cbc9efbb519aadcde1ff7f90e1b409966ce7f9db45e4d9cbefcdd3ea41b2816b

Download Submit
memory/1700-14-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1700-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/1700-0-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2016-24-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2016-28-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2016-18-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2016-20-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2016-22-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2016-9-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2016-26-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2016-16-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2016-30-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2016-32-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2016-34-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2016-36-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2016-38-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2016-40-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/2016-42-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download