4dcab4dff066a113b9f2cea94b1b21837cf92f0874eb3c4fc166824546ff5271

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
31/01/2025, 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lGxCmyo.exe
Size

6.3MB
MD5

8b566fdf77f5acf29c6c5bd2d52eacab
SHA1

19842502be7711f7e4d303c71184dc0b2ac05798
SHA256

4dcab4dff066a113b9f2cea94b1b21837cf92f0874eb3c4fc166824546ff5271
SHA512

d3e12e3a8f5593a8e7eb7c78c0b27e1a2b9ba229a2ab4ff14675589617a43185a9bea8ffa4b26586e9744b39b657d143645f76bcac21f20fbab45509998c1ff6
SSDEEP

98304:ijcIruEVC6IEq9Vyn//5gcllxt3bzBoUv6aQ/BDyZeut1BDjRhh:WDCjTA//5gcllfrNJ6jBGwutlhh

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0005000000019509-21.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
1028	lGxCmyo.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019509-21.dat	upx
behavioral1/memory/1028-23-0x0000000074B30000-0x0000000075043000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lGxCmyo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lGxCmyo.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 588 wrote to memory of 1028	588	lGxCmyo.exe	31
PID 588 wrote to memory of 1028	588	lGxCmyo.exe	31
PID 588 wrote to memory of 1028	588	lGxCmyo.exe	31
PID 588 wrote to memory of 1028	588	lGxCmyo.exe	31

C:\Users\Admin\AppData\Local\Temp\lGxCmyo.exe
"C:\Users\Admin\AppData\Local\Temp\lGxCmyo.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:588
- C:\Users\Admin\AppData\Local\Temp\lGxCmyo.exe
  "C:\Users\Admin\AppData\Local\Temp\lGxCmyo.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI5882\python311.dll

Filesize
1.4MB

MD5
c2d7c1219852ebef562663248393591d

SHA1
56d54e195ca36dd8239ed2b2d826d03584f0b372

SHA256
ff71be682dd009694bb52cad1aff027a4605f213ec42682c08a37bf0105653b5

SHA512
4284f02ece7c2e6f2bee253255f58319c5c4a1333a54e6c9676d47f66a2f5d860ac963640b550ee8ec3246fda5223306d022ef4e6a57f5f7ef5132b0aecf6fd3

Download Submit
memory/1028-23-0x0000000074B30000-0x0000000075043000-memory.dmp

Filesize
5.1MB

Download