1af039b45840346b46a0552781a6fcc4e53262ceb0297e743a331d37ae402434

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-12-2024 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7zS8B74BEBB/623f4eca3de95_Sat17334d36c.exe
Size

1.5MB
MD5

fc85547093253980b33b54219d28d736
SHA1

da6868bf22cf6d90ed4eac4f999784853a6a6120
SHA256

baaff6a861982a9eafdc8a4f59f2404e55e589ac509813b3782315aad744baec
SHA512

370c7276703706b969c5c5061a8ab18dd07a257882a09d674223513875924455466067000e994f326198ae783440967acda9d4c51a105b1991134e3088cd8003
SSDEEP

24576:84nXu/QSDTV+Bnvu8t+wqKcGKK0YF1I8Po3kJy5pIz0frpuIBpG2OBtSWd6+u:8qeNVCiGJ0YF1I8P7Jop40jpv6gWq

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2392	623f4eca3de95_Sat17334d36c.tmp
2688	623f4eca3de95_Sat17334d36c.tmp

Loads dropped DLL 4 IoCs

pid	Process
1560	623f4eca3de95_Sat17334d36c.exe
2392	623f4eca3de95_Sat17334d36c.tmp
2760	623f4eca3de95_Sat17334d36c.exe
2688	623f4eca3de95_Sat17334d36c.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	623f4eca3de95_Sat17334d36c.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	623f4eca3de95_Sat17334d36c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	623f4eca3de95_Sat17334d36c.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	623f4eca3de95_Sat17334d36c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2688	623f4eca3de95_Sat17334d36c.tmp

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 2392	1560	623f4eca3de95_Sat17334d36c.exe	31
PID 1560 wrote to memory of 2392	1560	623f4eca3de95_Sat17334d36c.exe	31
PID 1560 wrote to memory of 2392	1560	623f4eca3de95_Sat17334d36c.exe	31
PID 1560 wrote to memory of 2392	1560	623f4eca3de95_Sat17334d36c.exe	31
PID 1560 wrote to memory of 2392	1560	623f4eca3de95_Sat17334d36c.exe	31
PID 1560 wrote to memory of 2392	1560	623f4eca3de95_Sat17334d36c.exe	31
PID 1560 wrote to memory of 2392	1560	623f4eca3de95_Sat17334d36c.exe	31
PID 2392 wrote to memory of 2760	2392	623f4eca3de95_Sat17334d36c.tmp	32
PID 2392 wrote to memory of 2760	2392	623f4eca3de95_Sat17334d36c.tmp	32
PID 2392 wrote to memory of 2760	2392	623f4eca3de95_Sat17334d36c.tmp	32
PID 2392 wrote to memory of 2760	2392	623f4eca3de95_Sat17334d36c.tmp	32
PID 2392 wrote to memory of 2760	2392	623f4eca3de95_Sat17334d36c.tmp	32
PID 2392 wrote to memory of 2760	2392	623f4eca3de95_Sat17334d36c.tmp	32
PID 2392 wrote to memory of 2760	2392	623f4eca3de95_Sat17334d36c.tmp	32
PID 2760 wrote to memory of 2688	2760	623f4eca3de95_Sat17334d36c.exe	33
PID 2760 wrote to memory of 2688	2760	623f4eca3de95_Sat17334d36c.exe	33
PID 2760 wrote to memory of 2688	2760	623f4eca3de95_Sat17334d36c.exe	33
PID 2760 wrote to memory of 2688	2760	623f4eca3de95_Sat17334d36c.exe	33
PID 2760 wrote to memory of 2688	2760	623f4eca3de95_Sat17334d36c.exe	33
PID 2760 wrote to memory of 2688	2760	623f4eca3de95_Sat17334d36c.exe	33
PID 2760 wrote to memory of 2688	2760	623f4eca3de95_Sat17334d36c.exe	33

C:\Users\Admin\AppData\Local\Temp\7zS8B74BEBB\623f4eca3de95_Sat17334d36c.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8B74BEBB\623f4eca3de95_Sat17334d36c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Users\Admin\AppData\Local\Temp\is-OIU1K.tmp\623f4eca3de95_Sat17334d36c.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-OIU1K.tmp\623f4eca3de95_Sat17334d36c.tmp" /SL5="$400EE,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zS8B74BEBB\623f4eca3de95_Sat17334d36c.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\7zS8B74BEBB\623f4eca3de95_Sat17334d36c.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS8B74BEBB\623f4eca3de95_Sat17334d36c.exe" /SILENT
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\is-G6MJL.tmp\623f4eca3de95_Sat17334d36c.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-G6MJL.tmp\623f4eca3de95_Sat17334d36c.tmp" /SL5="$500EE,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zS8B74BEBB\623f4eca3de95_Sat17334d36c.exe" /SILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-5JDPU.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
\Users\Admin\AppData\Local\Temp\is-OIU1K.tmp\623f4eca3de95_Sat17334d36c.tmp

Filesize
2.5MB

MD5
c2df22740f9c189cc1bca0f7a7da293a

SHA1
67a318397df6454749de34485e093bf726c15ac7

SHA256
6719f7cd93f52d4a68f18b5257779dfca14ffbccec81d57df93fc7ab6d35e219

SHA512
14ffc3f3b07230e7aa2b9768d9e54e97690670afe9ec8815aa1314d32260759f4430ddd5b0b821a107ef137e6c957b1f7e57f11095a5d1e9b13f4ebb3f431b17

Download Submit
memory/1560-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1560-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/1560-21-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2392-8-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/2392-19-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/2688-33-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/2760-17-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2760-32-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download