4d385b9fde266f9685f95949c60ec9f5b29d1bde22de2eb0c882bca8eac71293

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-11-2024 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DOpusInstall.exe
Size

38.5MB
MD5

99540b8e8d91ae5546fc24410a96c457
SHA1

f36a5a85c041126a48d7486420bf35da8c31d922
SHA256

4d385b9fde266f9685f95949c60ec9f5b29d1bde22de2eb0c882bca8eac71293
SHA512

4400f7bb0a2e78c729228149cd8d47ea55c9b5f3207fc95478c4e31316c42423c4bbf7eece178b316a9153230bc0ac87873ba203d01ff39eb348fdf72b7d14a5
SSDEEP

786432:/kHdKBCtY9GML0dko3ad91eoUJ9gARHTVw6Z1Wq+NYr79b7GE2xlDRB:+g99GM4v3ad99AhRHTVfZ1Wq+0ExN

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

DOpusInstall.tmp

pid process

2700 DOpusInstall.tmp
Loads dropped DLL 2 IoCs

Processes:

DOpusInstall.exeDOpusInstall.tmp

pid process

2188 DOpusInstall.exe
2700 DOpusInstall.tmp

pid	process
2700	DOpusInstall.tmp

pid	process
2188	DOpusInstall.exe
2700	DOpusInstall.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

DOpusInstall.exeDOpusInstall.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOpusInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOpusInstall.tmp

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

DOpusInstall.exe

description	pid	process	target process
PID 2188 wrote to memory of 2700	2188	DOpusInstall.exe	DOpusInstall.tmp
PID 2188 wrote to memory of 2700	2188	DOpusInstall.exe	DOpusInstall.tmp
PID 2188 wrote to memory of 2700	2188	DOpusInstall.exe	DOpusInstall.tmp
PID 2188 wrote to memory of 2700	2188	DOpusInstall.exe	DOpusInstall.tmp
PID 2188 wrote to memory of 2700	2188	DOpusInstall.exe	DOpusInstall.tmp
PID 2188 wrote to memory of 2700	2188	DOpusInstall.exe	DOpusInstall.tmp
PID 2188 wrote to memory of 2700	2188	DOpusInstall.exe	DOpusInstall.tmp

C:\Users\Admin\AppData\Local\Temp\DOpusInstall.exe
"C:\Users\Admin\AppData\Local\Temp\DOpusInstall.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188

C:\Users\Admin\AppData\Local\Temp\is-1KJLQ.tmp\DOpusInstall.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1KJLQ.tmp\DOpusInstall.tmp" /SL5="$301CE,39321588,863232,C:\Users\Admin\AppData\Local\Temp\DOpusInstall.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-1KJLQ.tmp\DOpusInstall.tmp

Filesize
3.1MB

MD5
07ee2202fc2470c6e4d0fd912b769931

SHA1
39daf3eecf260954e44e30cee162ddbfa9ba337b

SHA256
c9859a64c8da1f512e6111dd028e47cdd50bae46af2e105c0a0a1e9668eb86f6

SHA512
0014812f8bbe3d18b038096d50ea5d75a70ba7858de6280a3d79118f205eba6982bd4e504f5eb5d455de79503992db10509012e93f73f0105126176c45da6bf8

Download Submit
\Users\Admin\AppData\Local\Temp\is-81NUS.tmp\innohelp.dll

Filesize
85KB

MD5
bcf8dafbc9188b00025e4425b86669cf

SHA1
a8ee26d9181a69694356b90b8c5ce00fab722486

SHA256
3a41354a740cd1e7f2ef27ec3249bfd9aa4f07eb803a2f1824b8ef7911b5464f

SHA512
234cfac5112e46ca89035c0cde811bddd480114fdffee5e56e7fef29f39c88327471516aad3c3112a8f489a065750cca4a13d4cbab676ecae02da54d65d61d0b

Download Submit
memory/2188-14-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2188-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2188-0-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2700-24-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2700-28-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2700-18-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2700-20-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2700-22-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2700-9-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2700-26-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2700-16-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2700-30-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2700-32-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2700-34-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2700-36-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2700-38-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2700-40-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2700-42-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download