f92ea3668a35fbf6e26ba93ed3c2ee31235e41013b79cd661aa061d1327540d9

Resubmissions

03/03/2025, 00:30

250303-atjytszr17 7

26/05/2021, 16:56

210526-cxl24bzxyj 10

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/03/2025, 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac7560fd5eae593bc3dd81a19f68647f.exe
Size

380KB
MD5

ac7560fd5eae593bc3dd81a19f68647f
SHA1

e6addb41986cf296d935f60d3d61f595dbd26857
SHA256

f92ea3668a35fbf6e26ba93ed3c2ee31235e41013b79cd661aa061d1327540d9
SHA512

eac194e25ec730dafb1ea03378ba33ba52bc3d01be785bd24a73ffcaf05a1b8c26c624238c27d6108b32d19dd5679d80493c2582190eb2e6d604365796e270ad
SSDEEP

6144:x/QiQXCoJm+ksmpk3U9jW1U4P9bBZCOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZ4:pQi3os6m6URA3PhmlL//plmW9bTXeVh8

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1524	ac7560fd5eae593bc3dd81a19f68647f.tmp

Loads dropped DLL 4 IoCs

pid	Process
2480	ac7560fd5eae593bc3dd81a19f68647f.exe
1524	ac7560fd5eae593bc3dd81a19f68647f.tmp
1524	ac7560fd5eae593bc3dd81a19f68647f.tmp
1524	ac7560fd5eae593bc3dd81a19f68647f.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac7560fd5eae593bc3dd81a19f68647f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac7560fd5eae593bc3dd81a19f68647f.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 1524	2480	ac7560fd5eae593bc3dd81a19f68647f.exe	31
PID 2480 wrote to memory of 1524	2480	ac7560fd5eae593bc3dd81a19f68647f.exe	31
PID 2480 wrote to memory of 1524	2480	ac7560fd5eae593bc3dd81a19f68647f.exe	31
PID 2480 wrote to memory of 1524	2480	ac7560fd5eae593bc3dd81a19f68647f.exe	31
PID 2480 wrote to memory of 1524	2480	ac7560fd5eae593bc3dd81a19f68647f.exe	31
PID 2480 wrote to memory of 1524	2480	ac7560fd5eae593bc3dd81a19f68647f.exe	31
PID 2480 wrote to memory of 1524	2480	ac7560fd5eae593bc3dd81a19f68647f.exe	31

C:\Users\Admin\AppData\Local\Temp\ac7560fd5eae593bc3dd81a19f68647f.exe
"C:\Users\Admin\AppData\Local\Temp\ac7560fd5eae593bc3dd81a19f68647f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\is-EMHPB.tmp\ac7560fd5eae593bc3dd81a19f68647f.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-EMHPB.tmp\ac7560fd5eae593bc3dd81a19f68647f.tmp" /SL5="$4010A,140518,56832,C:\Users\Admin\AppData\Local\Temp\ac7560fd5eae593bc3dd81a19f68647f.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1524

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-EMHPB.tmp\ac7560fd5eae593bc3dd81a19f68647f.tmp

Filesize
694KB

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
\Users\Admin\AppData\Local\Temp\is-P8TC0.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-P8TC0.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
memory/1524-8-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1524-22-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2480-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2480-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2480-24-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download