46dc49be65d7165e2a6009854a4f27f0088230199e61e0555cb1bd266535874a

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

foo/034e4c62965f8d5dd5d5a2ce34a53ba9.exe
Size

416KB
MD5

034e4c62965f8d5dd5d5a2ce34a53ba9
SHA1

edc165e7e833a5e5345f675467398fb38cf6c16f
SHA256

52cb02da0462fdd08d537b2c949e2e252f7a7a88354d596e9f5c9f1498d1c68f
SHA512

c2de626a339d21e5fd287c0e625bca02c770e09f9cad01005160d473164fa8edc5fc381b6ddd01293bdd31f2d7de1b0171674d12ec428e42a97d0ed0b7efb9dd
SSDEEP

6144:FP/443+dYgkzGGbeX3xHLTpyrPqWTdpcZnrPNmZMiTwvHuQaDqIZ3oOk:Fo4OyxbeH15ynTdpcPsZlwG1DqIZ1k

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\waccess1428.tmp	034e4c62965f8d5dd5d5a2ce34a53ba9.exe
File opened for modification	C:\Windows\Microsoft Help\Secure	034e4c62965f8d5dd5d5a2ce34a53ba9.exe
File opened for modification	C:\Windows\Microsoft Help\Secure\wintp	034e4c62965f8d5dd5d5a2ce34a53ba9.exe
File opened for modification	C:\Windows\Microsoft Help\Secure\wintc	034e4c62965f8d5dd5d5a2ce34a53ba9.exe
File opened for modification	C:\Windows\Microsoft Help\Secure\Admin.tc.dat	034e4c62965f8d5dd5d5a2ce34a53ba9.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	034e4c62965f8d5dd5d5a2ce34a53ba9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 2576	1428	034e4c62965f8d5dd5d5a2ce34a53ba9.exe	31
PID 1428 wrote to memory of 2576	1428	034e4c62965f8d5dd5d5a2ce34a53ba9.exe	31
PID 1428 wrote to memory of 2576	1428	034e4c62965f8d5dd5d5a2ce34a53ba9.exe	31
PID 1428 wrote to memory of 2576	1428	034e4c62965f8d5dd5d5a2ce34a53ba9.exe	31

C:\Users\Admin\AppData\Local\Temp\foo\034e4c62965f8d5dd5d5a2ce34a53ba9.exe
"C:\Users\Admin\AppData\Local\Temp\foo\034e4c62965f8d5dd5d5a2ce34a53ba9.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c type "C:\Windows\\waccess1428.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\waccess1428.tmp

Filesize
12B

MD5
90e12ef91e007e3e947a0a134b1d63a0

SHA1
89576f2fbc05cda06967323451d84d5e9d5954ee

SHA256
b8ab89dd822ebe4dc614d3a9f0f9a8e96fefc643d3d4e1fc521477fe9064de64

SHA512
262a4c9f7cdfb573e5fe837dad87d1e8f767ceb031b4ba080fbff8ae6b0294b3325c515ad4d18b208476d821fdd3140b7d9419e39fbfd868f3c89333597b199b

Download Submit