8dd2ab66550df67780f9baaa6f25afc2bf6b9f98232ba991adb196315aa3ca48

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8dd2ab66550df67780f9baaa6f25afc2bf6b9f98232ba991adb196315aa3ca48.exe
Size

1.2MB
MD5

52384fef59456488734789158c11e82e
SHA1

35a45a095f593259c99ccd9393b3e250cf273586
SHA256

8dd2ab66550df67780f9baaa6f25afc2bf6b9f98232ba991adb196315aa3ca48
SHA512

87f092c54d78efcd4b8eebfbf7c925ef9dd141bbfcfa6f83b0a7fdf88df441d9b31435f7dfb445bbbd2e028ccc21244d770ac8009617480890be08ce5d0adb55
SSDEEP

24576:wtb20pkaCqT5TBWgNQ7aAN14sLfXjfCnVUID0ZCjmhe6A:5Vg5tQ7aANGkfj/IMo5

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2268 set thread context of 2892	2268	8dd2ab66550df67780f9baaa6f25afc2bf6b9f98232ba991adb196315aa3ca48.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8dd2ab66550df67780f9baaa6f25afc2bf6b9f98232ba991adb196315aa3ca48.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2268	8dd2ab66550df67780f9baaa6f25afc2bf6b9f98232ba991adb196315aa3ca48.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2268	8dd2ab66550df67780f9baaa6f25afc2bf6b9f98232ba991adb196315aa3ca48.exe
2268	8dd2ab66550df67780f9baaa6f25afc2bf6b9f98232ba991adb196315aa3ca48.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2268	8dd2ab66550df67780f9baaa6f25afc2bf6b9f98232ba991adb196315aa3ca48.exe
2268	8dd2ab66550df67780f9baaa6f25afc2bf6b9f98232ba991adb196315aa3ca48.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2892	2268	8dd2ab66550df67780f9baaa6f25afc2bf6b9f98232ba991adb196315aa3ca48.exe	30
PID 2268 wrote to memory of 2892	2268	8dd2ab66550df67780f9baaa6f25afc2bf6b9f98232ba991adb196315aa3ca48.exe	30
PID 2268 wrote to memory of 2892	2268	8dd2ab66550df67780f9baaa6f25afc2bf6b9f98232ba991adb196315aa3ca48.exe	30
PID 2268 wrote to memory of 2892	2268	8dd2ab66550df67780f9baaa6f25afc2bf6b9f98232ba991adb196315aa3ca48.exe	30
PID 2268 wrote to memory of 2892	2268	8dd2ab66550df67780f9baaa6f25afc2bf6b9f98232ba991adb196315aa3ca48.exe	30

C:\Users\Admin\AppData\Local\Temp\8dd2ab66550df67780f9baaa6f25afc2bf6b9f98232ba991adb196315aa3ca48.exe
"C:\Users\Admin\AppData\Local\Temp\8dd2ab66550df67780f9baaa6f25afc2bf6b9f98232ba991adb196315aa3ca48.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\8dd2ab66550df67780f9baaa6f25afc2bf6b9f98232ba991adb196315aa3ca48.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cyclop

Filesize
282KB

MD5
6554b7553ed1d27b5b388f9d3ac34f47

SHA1
bd3ba9a5dcd355cf7a67cf4027eaa9f7cb5b7cec

SHA256
c210628b28f2ac7e1039d04c769528adec36993f5bada75f174da3d3224d881d

SHA512
66b96622aa3ff9d2cc249ddc2bd296ccc0d5de2245c202a2ed53e75453d6d382e5ad9ac124cd464a9a5805f89f0c38a4a9f485a9d9bd83627a9db1f0f015e729

Download Submit
memory/2268-7-0x0000000000B10000-0x0000000000F10000-memory.dmp

Filesize
4.0MB

Download
memory/2892-8-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2892-9-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2892-10-0x0000000000840000-0x0000000000B43000-memory.dmp

Filesize
3.0MB

Download
memory/2892-11-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download