0f1b94f36ea714a1071a826eb47d972f1769e9e139bf3b4fb88f555dfc457603

Analysis

max time kernel
145s
max time network
135s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30/12/2024, 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

679.9MB
MD5

8abc5e36759219b71d185846fc66c0e6
SHA1

491339930d88a891baae5b8f7d634d7740bf7826
SHA256

04b41a4960228a64cd1a7b93e27221bfa38c75e389c446bd19b2708839583b8f
SHA512

76f4f6186c2f5717e4f76504e4df05c5443bebb107fa41f1b629f9f7d48f6cff06c44f719de2e9532f91f09bee4afc95a054dd6d49a7361d3041e4f4d2a93ff8
SSDEEP

196608:0+9mlxAMFyzUA7Xe5u8E9qj13B0J/cr5Rx5M+Rzh1pc:0+QlxHBMu5Bv3BM

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2196	2816	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2816	Setup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2816	Setup.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2196	2816	Setup.exe	30
PID 2816 wrote to memory of 2196	2816	Setup.exe	30
PID 2816 wrote to memory of 2196	2816	Setup.exe	30
PID 2816 wrote to memory of 2196	2816	Setup.exe	30

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 552
  2⤵
  - Program crash
  PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2501c99b

Filesize
2.0MB

MD5
595b9c5b3adb7a4809cc828bc6705129

SHA1
735fbb66976bc3a5b3df6560e059367875afbe6f

SHA256
e7bc639b5319fecc5411650aca295eff29e3fa26cfda09772954c28e8c2dfd0f

SHA512
d7ba6b3fc09ab5fc800d453e7c7a6cf2288fe7b555a5da2f9880b54f2c529ac4cb9b210308d07365e99a7747d65bcb6fb8b41930df83db385ff179351b4e1d28

Download Submit
memory/2816-0-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/2816-1-0x0000000000400000-0x0000000000D20000-memory.dmp

Filesize
9.1MB

Download
memory/2816-7-0x0000000075C30000-0x000000007687A000-memory.dmp

Filesize
12.3MB

Download
memory/2816-8-0x00000000776B0000-0x0000000077859000-memory.dmp

Filesize
1.7MB

Download
memory/2816-10-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/2816-9-0x0000000000400000-0x0000000000D20000-memory.dmp

Filesize
9.1MB

Download
memory/2816-11-0x0000000000400000-0x0000000000D20000-memory.dmp

Filesize
9.1MB

Download