Overview

overview

7

Static

static

3

139174a2bd...19.exe

windows7-x64

7

139174a2bd...19.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/11/2024, 02:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    139174a2bd30566c5c3d2d65da55dcfbf013e23359c9424590ba83cb0576d719.exe

  • Size

    78KB

  • MD5

    d5ae0008032818e51abe3d53868d9c06

  • SHA1

    aa7993aa73f323b35fe5468a3872d7c786e42d5d

  • SHA256

    139174a2bd30566c5c3d2d65da55dcfbf013e23359c9424590ba83cb0576d719

  • SHA512

    793d8119e5328132752dca6f0b6d7491ab72f18f8083d1d36743d6ee22e10ba8097d881803a2f4f1f5d27eb9e737fb42de54d4304b681736c225ea9a120426a4

  • SSDEEP

    1536:abSshapMJgKJUuxGmfJPtOgqm1s/XZSWcH5:K25KJFjfJPtOgqm2/XZXk

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\139174a2bd30566c5c3d2d65da55dcfbf013e23359c9424590ba83cb0576d719.exe
    "C:\Users\Admin\AppData\Local\Temp\139174a2bd30566c5c3d2d65da55dcfbf013e23359c9424590ba83cb0576d719.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2136
    • \??\c:\users\admin\appdata\local\temp\winlgon.exe
      c:\users\admin\appdata\local\temp\winlgon.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 256
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\winlgon.exe
    Filesize

    78KB

    MD5

    b822bbd3b2ace841c424fa62074014fd

    SHA1

    f4fc701149c0f2eb6e0f40696148c7effbc237c7

    SHA256

    6e7ac5f82a87172139c497bf07fd139338f6b00f7dd562f8b38def3c9a033eab

    SHA512

    8e4cc1d479fc37447e0ad6a56aebc643e9a28efd059841f84c62b5efa4d0ac18bbb9c0dddaa0a23540365fe299fe1451037c10e2b83e961e1071a96fdaf6e8e8

    Download Submit