d0b679f2c6a19a7202960c45c2e159e461af832d9a234d673b474070fb05f634

Analysis

max time kernel
52s
max time network
17s
platform
windows7_x64
resource
win7-20241023-es
resource tags

arch:x64arch:x86image:win7-20241023-eslocale:es-esos:windows7-x64systemwindows
submitted
30/03/2025, 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setupAICS6.exe
Size

180.3MB
MD5

21bfb188279a825c03825fa7dcb07753
SHA1

24f4d92912a04db6c942f9672f0e35369589acfe
SHA256

d0b679f2c6a19a7202960c45c2e159e461af832d9a234d673b474070fb05f634
SHA512

370a6d730c46560e5f517950cd4295b893ed51ffd8ef67506a1e1170faa01b7cc3f0f11a76ec907e52602c2bb81719fbc3c87f7db0bb33ac79fb04ee1ffb12b2
SSDEEP

3145728:RbzooA/ixuq49P70jR2zNrpfzZ708h1USKkAyyc2sTCneEx5+lHiV4bbW8/:V3A/ixu59PMozNrxB08hKSKfyycUDx5U

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2880	setupAICS6.tmp

Loads dropped DLL 1 IoCs

pid	Process
2824	setupAICS6.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setupAICS6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setupAICS6.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2880	2824	setupAICS6.exe	30
PID 2824 wrote to memory of 2880	2824	setupAICS6.exe	30
PID 2824 wrote to memory of 2880	2824	setupAICS6.exe	30
PID 2824 wrote to memory of 2880	2824	setupAICS6.exe	30
PID 2824 wrote to memory of 2880	2824	setupAICS6.exe	30
PID 2824 wrote to memory of 2880	2824	setupAICS6.exe	30
PID 2824 wrote to memory of 2880	2824	setupAICS6.exe	30

C:\Users\Admin\AppData\Local\Temp\setupAICS6.exe
"C:\Users\Admin\AppData\Local\Temp\setupAICS6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\is-F2ABO.tmp\setupAICS6.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-F2ABO.tmp\setupAICS6.tmp" /SL5="$30154,188716683,66560,C:\Users\Admin\AppData\Local\Temp\setupAICS6.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-F2ABO.tmp\setupAICS6.tmp

Filesize
710KB

MD5
4608db78a6afcede21acedb6b18eff4c

SHA1
d13f5dc5b2821cf4f9a4c9766d458c1a6502777c

SHA256
0a5f369b4e65d0887efab55b3cf40bf38a210bdacc14c513afcfa16f662ddc8a

SHA512
f1cc89094e260cb76d19cb2875e2ecd94be70e2863cc02068acb59908149c875903547170a0e0d19b7ba1d55ffe1760dbd53fa07fa257b7201aa07cc094258b0

Download Submit
memory/2824-2-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/2824-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2824-9-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2880-8-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2880-11-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download