f92ea3668a35fbf6e26ba93ed3c2ee31235e41013b79cd661aa061d1327540d9

Resubmissions

03/03/2025, 00:30

250303-atjytszr17 7

26/05/2021, 16:56

210526-cxl24bzxyj 10

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
03/03/2025, 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac7560fd5eae593bc3dd81a19f68647f.exe
Size

380KB
MD5

ac7560fd5eae593bc3dd81a19f68647f
SHA1

e6addb41986cf296d935f60d3d61f595dbd26857
SHA256

f92ea3668a35fbf6e26ba93ed3c2ee31235e41013b79cd661aa061d1327540d9
SHA512

eac194e25ec730dafb1ea03378ba33ba52bc3d01be785bd24a73ffcaf05a1b8c26c624238c27d6108b32d19dd5679d80493c2582190eb2e6d604365796e270ad
SSDEEP

6144:x/QiQXCoJm+ksmpk3U9jW1U4P9bBZCOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZ4:pQi3os6m6URA3PhmlL//plmW9bTXeVh8

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2756	ac7560fd5eae593bc3dd81a19f68647f.tmp

Loads dropped DLL 1 IoCs

pid	Process
2756	ac7560fd5eae593bc3dd81a19f68647f.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac7560fd5eae593bc3dd81a19f68647f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac7560fd5eae593bc3dd81a19f68647f.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2756	2104	ac7560fd5eae593bc3dd81a19f68647f.exe	88
PID 2104 wrote to memory of 2756	2104	ac7560fd5eae593bc3dd81a19f68647f.exe	88
PID 2104 wrote to memory of 2756	2104	ac7560fd5eae593bc3dd81a19f68647f.exe	88

C:\Users\Admin\AppData\Local\Temp\ac7560fd5eae593bc3dd81a19f68647f.exe
"C:\Users\Admin\AppData\Local\Temp\ac7560fd5eae593bc3dd81a19f68647f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\Temp\is-SQF3V.tmp\ac7560fd5eae593bc3dd81a19f68647f.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-SQF3V.tmp\ac7560fd5eae593bc3dd81a19f68647f.tmp" /SL5="$502E0,140518,56832,C:\Users\Admin\AppData\Local\Temp\ac7560fd5eae593bc3dd81a19f68647f.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-7PJEO.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SQF3V.tmp\ac7560fd5eae593bc3dd81a19f68647f.tmp

Filesize
694KB

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
memory/2104-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2104-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2104-20-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2756-6-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2756-18-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download