a2480b11ad87b6c98776b74d0ca75739559c6d357ddcc786bbf5565f91154095

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26/01/2025, 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installer.exe
Size

541KB
MD5

c13ae6f97f5518fe8ca5b09f6aeb4c68
SHA1

d9219dade233d3cb0c59f57e4400dbff8e08eb66
SHA256

a2480b11ad87b6c98776b74d0ca75739559c6d357ddcc786bbf5565f91154095
SHA512

d5edf8397b686cdc12fe901739c88769386c06e108e8e61a9e1b14cf1abc78ac9edefc0b9e4b8d5595e47fdb0c2ef9155010ce643ebe1913b0a207620e567506
SSDEEP

12288:jY6R+JQXjAnN3ykQO4L3yq7HFe9/jAoaLSsysL2nmb0j:1TARQOS3ySY9/jA2l+0

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1796 set thread context of 2372	1796	Installer.exe	30

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1320	2372	WerFault.exe	30
1976	1796	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2372	1796	Installer.exe	30
PID 1796 wrote to memory of 2372	1796	Installer.exe	30
PID 1796 wrote to memory of 2372	1796	Installer.exe	30
PID 1796 wrote to memory of 2372	1796	Installer.exe	30
PID 1796 wrote to memory of 2372	1796	Installer.exe	30
PID 1796 wrote to memory of 2372	1796	Installer.exe	30
PID 1796 wrote to memory of 2372	1796	Installer.exe	30
PID 1796 wrote to memory of 2372	1796	Installer.exe	30
PID 1796 wrote to memory of 2372	1796	Installer.exe	30
PID 1796 wrote to memory of 2372	1796	Installer.exe	30
PID 1796 wrote to memory of 2372	1796	Installer.exe	30
PID 1796 wrote to memory of 2372	1796	Installer.exe	30
PID 1796 wrote to memory of 2372	1796	Installer.exe	30
PID 1796 wrote to memory of 1976	1796	Installer.exe	31
PID 1796 wrote to memory of 1976	1796	Installer.exe	31
PID 1796 wrote to memory of 1976	1796	Installer.exe	31
PID 1796 wrote to memory of 1976	1796	Installer.exe	31
PID 2372 wrote to memory of 1320	2372	Installer.exe	32
PID 2372 wrote to memory of 1320	2372	Installer.exe	32
PID 2372 wrote to memory of 1320	2372	Installer.exe	32
PID 2372 wrote to memory of 1320	2372	Installer.exe	32

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 148
    3⤵
    - Program crash
    PID:1320
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 516
  2⤵
  - Program crash
  PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1796-0-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

Filesize
4KB

Download
memory/1796-1-0x0000000000DC0000-0x0000000000E4E000-memory.dmp

Filesize
568KB

Download
memory/1796-17-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/1796-16-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

Filesize
4KB

Download
memory/1796-15-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/2372-9-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2372-3-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2372-12-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2372-14-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2372-10-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2372-4-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2372-5-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2372-7-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download