a792b676c5c8338be41b2d54a02b31cc2c8ddbba6fdd12b5f9bd7d67fee37068

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a792b676c5c8338be41b2d54a02b31cc2c8ddbba6fdd12b5f9bd7d67fee37068.exe
Size

1.1MB
MD5

aa3e783898f8ba7a42cb05a0b8ee7dcc
SHA1

f5faf6af37ef433182fae2f1fb16b930068552a7
SHA256

a792b676c5c8338be41b2d54a02b31cc2c8ddbba6fdd12b5f9bd7d67fee37068
SHA512

a6ce50ebc8dbf2dbfbb75eb907983d760e9cd513fc023aaccc96833ae3baf19ef5d452006ffc94fc8569112b7975312ddf4b16b5771a1acb23103f28ae19ecc8
SSDEEP

24576:MVJrJ3YpLtsXGx9Q8zQ/+kCsg+T3yKqTbG39zy:MJoUXGx9i/w0jyd+y

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a792b676c5c8338be41b2d54a02b31cc2c8ddbba6fdd12b5f9bd7d67fee37068.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2960	a792b676c5c8338be41b2d54a02b31cc2c8ddbba6fdd12b5f9bd7d67fee37068.exe
2960	a792b676c5c8338be41b2d54a02b31cc2c8ddbba6fdd12b5f9bd7d67fee37068.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2960	a792b676c5c8338be41b2d54a02b31cc2c8ddbba6fdd12b5f9bd7d67fee37068.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2960	a792b676c5c8338be41b2d54a02b31cc2c8ddbba6fdd12b5f9bd7d67fee37068.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2960	a792b676c5c8338be41b2d54a02b31cc2c8ddbba6fdd12b5f9bd7d67fee37068.exe
2960	a792b676c5c8338be41b2d54a02b31cc2c8ddbba6fdd12b5f9bd7d67fee37068.exe

C:\Users\Admin\AppData\Local\Temp\a792b676c5c8338be41b2d54a02b31cc2c8ddbba6fdd12b5f9bd7d67fee37068.exe
"C:\Users\Admin\AppData\Local\Temp\a792b676c5c8338be41b2d54a02b31cc2c8ddbba6fdd12b5f9bd7d67fee37068.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RCXBBD4.tmp

Filesize
1.1MB

MD5
c9b1c07b9f3232fb450d10a8d01228bf

SHA1
be53dcf2c22edf8f7f171e9ca07781590aa9f041

SHA256
50821afaa0fa400cb7adf6d6dd84ec430045706490f87c35f631b880dcb8f948

SHA512
4fade5d89c8c24ef32cc4e2cce8feffe6701eff00cc9662b33d32823f94b0a6cf7171654f6e5abfd59ee6c07b88e035569b945d4107a67e121d9bc0b08486234

Download Submit
memory/2960-0-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2960-19-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download