a9ac0b1d8a4f8a61d621bec622f4f6b13c7b66f2ed009cd90aebb2a7727da228

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26/11/2024, 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FNTDEZE.exe
Size

10.2MB
MD5

4a6029621511b1ee7e9dbaabeebeb2cb
SHA1

06e9648914e177827d4624dbf1fd63fdaf666411
SHA256

a9ac0b1d8a4f8a61d621bec622f4f6b13c7b66f2ed009cd90aebb2a7727da228
SHA512

71fbfc2acbdde34a5adf15d3e4dc99d6fd2f667013ba506652f0cb543fa0550148e7277ad706bfa65f552a652b2c9104ca7f7e8c2e6706d45bfa922b828560e4
SSDEEP

196608:Ein3DxOpJlXC4NmNumGOEJohaDjx4a0FAwYxM44BXVhs8yaqbvYY:VnTxOpJUi/raMjm2BP4Dhs8sY

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000500000001c780-45.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
2832	FNTDEZE.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001c780-45.dat	upx
behavioral1/memory/2832-47-0x0000000074870000-0x0000000074CF2000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FNTDEZE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FNTDEZE.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2832	2392	FNTDEZE.exe	30
PID 2392 wrote to memory of 2832	2392	FNTDEZE.exe	30
PID 2392 wrote to memory of 2832	2392	FNTDEZE.exe	30
PID 2392 wrote to memory of 2832	2392	FNTDEZE.exe	30

C:\Users\Admin\AppData\Local\Temp\FNTDEZE.exe
"C:\Users\Admin\AppData\Local\Temp\FNTDEZE.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\FNTDEZE.exe
  "C:\Users\Admin\AppData\Local\Temp\FNTDEZE.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI23922\python39.dll

Filesize
1.2MB

MD5
7cd78961972c635bbe49b29bb86e5726

SHA1
5677a224e3b1c27ffd05a6ccea6ffcbbdb42b3ef

SHA256
e99fc9e98f769b903473ba46ab4a6019df3126d8d40184c369a91fdeb5a336ca

SHA512
0dca58bea7a0297bbe7166b908ce4f6b2e0a85586492c3ba7f4aa8c75e12d3ca854040426a674ba5f75c2f53d407accda5ced56ce7166ca9a6ef40a1857ca145

Download Submit
memory/2832-47-0x0000000074870000-0x0000000074CF2000-memory.dmp

Filesize
4.5MB

Download