5f2190af1debcee49a6aa8aa05f97492ce9bd4516c2d3cdaff8206f866117cf6

Resubmissions

08-11-2024 00:11

241108-agpcsaznfx 10

08-11-2024 00:07

241108-aeq4la1cla 10

08-11-2024 00:00

241108-aamwda1blg 10

Analysis

max time kernel
38s
max time network
16s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
08-11-2024 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

6.5MB
MD5

8c643afe3eae2bfbc531a83f8c1356c7
SHA1

252cec2459cc65df585c959d84b4f24f2e259af3
SHA256

5f2190af1debcee49a6aa8aa05f97492ce9bd4516c2d3cdaff8206f866117cf6
SHA512

e4d52b7537e0c298256c543f198a25e00b67f5f5bfede069f0d6a41696ee1ec0e1f8eac989f7208429af84854d558dbd31158605e65f891d2435e01990991bb8
SSDEEP

196608:1u4jYIJLc52Nt8cQS/1nXy2IIEZVMwICEc/jf:kutcStz9/1nXy22VJb

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0005000000018686-21.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
2948	Built.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000018686-21.dat	upx
behavioral1/memory/2948-23-0x0000000074AF0000-0x0000000075082000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Built.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Built.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 2948	2800	Built.exe	30
PID 2800 wrote to memory of 2948	2800	Built.exe	30
PID 2800 wrote to memory of 2948	2800	Built.exe	30
PID 2800 wrote to memory of 2948	2800	Built.exe	30

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI28002\python313.dll

Filesize
1.5MB

MD5
aa78e8a166f83bd96b4b140e4e1d9da0

SHA1
ffdb720b8fc6e3032258b9963d70bea8fdab1622

SHA256
c5926ed525522f0e411b25121a6f853ce6716f050bd632afbbf93ab2a8787a76

SHA512
14874c64d6b750b85b97d8fc9108dced469c43e93b41106504af0082f230073bd2ac077c636b8c47c5280e36f8c5dcf9dc2bebf9fea361d55e0240dc43a94c99

Download Submit
memory/2948-23-0x0000000074AF0000-0x0000000075082000-memory.dmp

Filesize
5.6MB

Download