8b0f9d248e67199bb7f1a778a03e4caee7d267e61d8a7d70fa1c1f6d7944e96a

Analysis

max time kernel
1561s
max time network
1562s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
Size

738KB
MD5

7bb86f70896668026b6d4b5367286d6a
SHA1

045a3418eb97c7f21bb13419e35f1d2e3e06bbc7
SHA256

46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883
SHA512

fbddb09cad41351b81e86546d4287c9b6d85fd5312bf4e31ba7ff32451097258e9724e2614a9049647c2c7057cf614f6810321d0b117d47d81127b85f3737f8e
SSDEEP

12288:f0WNgzknmWB2idjljtvHTHiiXuMvCQPyiyX7rJVIaP0vQ5M0rirmgRcdalSjEQgC:MWmzVWNZPvHzXuuPyzteQ5LahGv3

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2732	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2732	AcroRd32.exe
2732	AcroRd32.exe
2732	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 2732	1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe	30
PID 1600 wrote to memory of 2732	1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe	30
PID 1600 wrote to memory of 2732	1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe	30
PID 1600 wrote to memory of 2732	1600	46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe	30

C:\Users\Admin\AppData\Local\Temp\46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe
"C:\Users\Admin\AppData\Local\Temp\46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Resume.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Resume.pdf

Filesize
33KB

MD5
6043378dfaad5b94288ac9b7183c6050

SHA1
07315ce4317a95da784d2f0a610623b3df28ccdd

SHA256
35c6c877bceab6778950d2bf2cda1dc54597521a4e5783be3ba64aef29088bcd

SHA512
205995644736ed36de78aec19d2b727b42d2729de3b8eaba8a4534e39381e9ae65f0ad05c3a2229a00054512feb14fd0b6a4b2c07720a61ba545c0bd41b12f21

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
87da58887801918eb8d4e3ff4774d45e

SHA1
66dd2d49e4973c5a13397b704d033779fb822255

SHA256
cc8b8e4e248d7e19eab36b4c434a0e59b0b8c7463a78bf6b1e2e2797638acd9a

SHA512
c75f182b1698ef7375bcdf473b52ffc439732df3e0478acc4018ee6be77b11ab9907904807ce9057f6b2d4ade846ec736bdeab97c8f057db92749b5f8d015643

Download Submit
memory/1600-1-0x00000000005ED000-0x00000000005EE000-memory.dmp

Filesize
4KB

Download
memory/1600-0-0x0000000000400000-0x00000000005F2000-memory.dmp

Filesize
1.9MB

Download
memory/1600-3-0x0000000000400000-0x00000000005F2000-memory.dmp

Filesize
1.9MB

Download
memory/1600-6-0x0000000000400000-0x00000000005F2000-memory.dmp

Filesize
1.9MB

Download