52c657629359928d335faf3305132f8e9e927df1f416079953adbc6e2b3f5c66

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a.exe
Size

1.7MB
MD5

2402ac523f9a0d195ebff1d49b320747
SHA1

478adb9d6c0b62999841420f6bbb14cac74cbdf2
SHA256

498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a
SHA512

54f6a81e0f5a9fe190d4a902b32fa21dde5f4e86d1585e755bebb944facb21dfce44a6432d1c01158a6d29b2ba248707d66236ade3b777541e500b0b6cee917e
SSDEEP

49152:9vGC97fBQX1DP0ZkjeZRULNiXicJFFRGNzj3:tGCRfBC70ZkjH7wRGpj3

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
472	Process not Found
1872	alg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2668	498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2668	498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a.exe
2668	498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a.exe
2668	498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a.exe

C:\Users\Admin\AppData\Local\Temp\498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a.exe
"C:\Users\Admin\AppData\Local\Temp\498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2668

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
4895f8ef27899587fab4df3cf73caf83

SHA1
40476e00ead2b10bad2f35a9a823d5c79f64d0c5

SHA256
51c0a155b6eb839050f3b781b77ce054133f340a1ca19439a193359905f843c2

SHA512
543556eebad69a8c85463abeb08afdf21e0b54c73d4c672d32650d3ac16bf1e63031bbf9f787c8c79fef066cc5e65da5ca637c50212d72973c8f39feefe35a09

Download Submit
memory/1872-16-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/1872-18-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/2668-0-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2668-8-0x0000000000260000-0x00000000002C6000-memory.dmp

Filesize
408KB

Download
memory/2668-1-0x0000000000260000-0x00000000002C6000-memory.dmp

Filesize
408KB

Download
memory/2668-17-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download