Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-10-2024 22:26
Behavioral task
behavioral1
Sample
Creal.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Creal.exe
Resource
win10v2004-20241007-en
General
-
Target
Creal.exe
-
Size
7.3MB
-
MD5
b867469d2d9f97d98f60c9ea4302418a
-
SHA1
e67fcbb3e8043436739391efa883ec99f8eab30a
-
SHA256
381116b75b5da7f4a92f21197efceb9a202ecae7b8d852dab506fbb97e2e150c
-
SHA512
027cdfd76b942ac303258976c0f936bd5ef12f59a28bf2f165f6d1d6686bcd533dfff67bbcc4eac4d7eb2a631d80b7199a6599869419aaef90968417b2e6633f
-
SSDEEP
196608:QL1OgOCT+aj1rpnrJehwiIbZg4TIdQNm5XKCt7o5cJwDb2:QpoCT+aoqbCdQyftBJwDb2
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2336 Creal.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Creal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Creal.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2320 wrote to memory of 2336 2320 Creal.exe 28 PID 2320 wrote to memory of 2336 2320 Creal.exe 28 PID 2320 wrote to memory of 2336 2320 Creal.exe 28 PID 2320 wrote to memory of 2336 2320 Creal.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\Creal.exe"C:\Users\Admin\AppData\Local\Temp\Creal.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\Creal.exe"C:\Users\Admin\AppData\Local\Temp\Creal.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2336
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD587bb8d7f9f22e11d2a3c196ee9bf36a5
SHA145dfcb22987f5a20a9b32410336c0d097ca91b35
SHA2561269f15b1c8daa25af81e6ad22f9bcebfd2c76aec81c18c6d800460b7105bf98
SHA51275bb2ae36b693e2a1e5ba003503d07ba975f9436fb3da9bf3fc4087a281cb172fa9bd13ad6fc27a62f796af6cbe0c800e2a169c65949a96bd4d0e150f4858288