73b6df0add9bc6b5792d274d316ecd70d636847db25ce6f3e63e77fb72369037

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exe
Size

3.9MB
MD5

c8420fe03d088ed9558dea175de7711f
SHA1

2feece2652375bee5171f31d10caf9ea4291ed36
SHA256

7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8
SHA512

ef935456d3fd0a7f32b1abb8bfc2ccb9b37443835157f9b8805875fce15ab1b9ec1639253d6ec20b83dadae714531e49f6c26621fbb5ffca46af665a5df88a2a
SSDEEP

98304:rUg3G64EgdhTNuQmT19jSxkUDsY5HJFWHzFJkyTnIDQVVNdM8LtUIgCfhsT:lGNXNu/LjeOY5pFovkyTIDQs8LqIgCK

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Setup.exe

pid	Process
2692	Setup.exe

Loads dropped DLL 1 IoCs

Processes:

7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exe

pid	Process
2668	7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exeSetup.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Setup.exe

pid	Process
2692	Setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exe

description	pid	Process	procid_target
PID 2668 wrote to memory of 2692	2668	7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exe	30
PID 2668 wrote to memory of 2692	2668	7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exe	30
PID 2668 wrote to memory of 2692	2668	7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exe	30
PID 2668 wrote to memory of 2692	2668	7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exe	30
PID 2668 wrote to memory of 2692	2668	7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exe	30
PID 2668 wrote to memory of 2692	2668	7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exe	30
PID 2668 wrote to memory of 2692	2668	7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exe	30

C:\Users\Admin\AppData\Local\Temp\7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exe
"C:\Users\Admin\AppData\Local\Temp\7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.ini

Filesize
227B

MD5
387fd915fa13d669dc58a84c88eaa943

SHA1
35745ce0cbabf6eecd6fe9719807ef95850ce150

SHA256
0033c9906f7b33f25e12cee7d1e7e07163d509d4569dfd5175ca321587b7fe5b

SHA512
c4e49cce74c81b0c020f28bc9806c118b4863dda464977379146bffc72cb1e9bea3492aed31f62f1499d8d778da676cf1154bc5176a974c46422eeb3a986e5af

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.EXE

Filesize
999KB

MD5
7940573022d81cbdb9c04a22f5d88ad5

SHA1
7352716c480ee92ab212bfcd2627f802d03907cc

SHA256
3d413208468ad2a4a8f865ba41544ddad94b020084597ef971848425b38d3d14

SHA512
df06e17515e3e3b1b2b97b49272dd69163fde07ae18ba49b86ae9f9c406b267bb152eaa0b325d044994c328627424b56e9e14948b7d3b93679b165062eeaf60b

Download Submit
memory/2692-20-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download