de14c3b860519dc781aaee813d4fa3adc67d7653c544327f8d26d5b386564712

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.FileRepMalware.27261.32754.exe
Size

1.7MB
MD5

0d43698dffc5ee744f805a699df25c00
SHA1

c914a0238381f03d2558bedd423228ba3e4e0040
SHA256

de14c3b860519dc781aaee813d4fa3adc67d7653c544327f8d26d5b386564712
SHA512

57ffb5585ba3452ef039b59e7ac6c0484387aa37fca93b87e4ef49800d12aef338df010a5b8c87d451484ca0b2f0850ce304858a446247d2b7ed1bb280c1828f
SSDEEP

24576:s7FUDowAyrTVE3U5F/ZGqKUA4Kic6QL3E2vVsjECUAQT45deRV9RY:sBuZrEUMz4KIy029s4C1eH9y

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2548	SecuriteInfo.com.FileRepMalware.27261.32754.tmp

Loads dropped DLL 2 IoCs

pid	Process
2364	SecuriteInfo.com.FileRepMalware.27261.32754.exe
2548	SecuriteInfo.com.FileRepMalware.27261.32754.tmp

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.FileRepMalware.27261.32754.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.FileRepMalware.27261.32754.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2548	2364	SecuriteInfo.com.FileRepMalware.27261.32754.exe	30
PID 2364 wrote to memory of 2548	2364	SecuriteInfo.com.FileRepMalware.27261.32754.exe	30
PID 2364 wrote to memory of 2548	2364	SecuriteInfo.com.FileRepMalware.27261.32754.exe	30
PID 2364 wrote to memory of 2548	2364	SecuriteInfo.com.FileRepMalware.27261.32754.exe	30
PID 2364 wrote to memory of 2548	2364	SecuriteInfo.com.FileRepMalware.27261.32754.exe	30
PID 2364 wrote to memory of 2548	2364	SecuriteInfo.com.FileRepMalware.27261.32754.exe	30
PID 2364 wrote to memory of 2548	2364	SecuriteInfo.com.FileRepMalware.27261.32754.exe	30
PID 2548 wrote to memory of 2840	2548	SecuriteInfo.com.FileRepMalware.27261.32754.tmp	33
PID 2548 wrote to memory of 2840	2548	SecuriteInfo.com.FileRepMalware.27261.32754.tmp	33
PID 2548 wrote to memory of 2840	2548	SecuriteInfo.com.FileRepMalware.27261.32754.tmp	33
PID 2548 wrote to memory of 2840	2548	SecuriteInfo.com.FileRepMalware.27261.32754.tmp	33

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.27261.32754.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.27261.32754.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\is-G96SU.tmp\SecuriteInfo.com.FileRepMalware.27261.32754.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-G96SU.tmp\SecuriteInfo.com.FileRepMalware.27261.32754.tmp" /SL5="$400DC,922170,832512,C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.27261.32754.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-7NSGD.tmp\do.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-7NSGD.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
\Users\Admin\AppData\Local\Temp\is-G96SU.tmp\SecuriteInfo.com.FileRepMalware.27261.32754.tmp

Filesize
3.1MB

MD5
5a617f74245e27297419874956a3ff3e

SHA1
2cbf5440d087f181bd3aa1f2cc0cd5991eb23e24

SHA256
b0d7bc97394fffea516cd704377d97419b784cbf7acb694c6a7736b89f916b58

SHA512
22b96898a133cf57fb71ad76a97852f750a77cb1eb90244b88151e4f087d86ad9ef348a8d2cfe410bc2a6a12440238fcd8a9acb6c8724036908d7cdf55177734

Download Submit
memory/2364-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2364-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2364-31-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2548-9-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2548-29-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download