a7b6ee589f5176c1d0fe22443c403c6c97d5e19c322c887a777503882fa804b5

Analysis

max time kernel
15s
max time network
21s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cd4381495b9c77954ada7cb26a9e0b0N.exe
Size

79KB
MD5

8cd4381495b9c77954ada7cb26a9e0b0
SHA1

1e50db4fdba1027f5a245992f64bf8503c17503d
SHA256

a7b6ee589f5176c1d0fe22443c403c6c97d5e19c322c887a777503882fa804b5
SHA512

a899427ccbfdb0abb3135a36f25f3d608fab26e707f58900523bca6289014ffc8ea1b0a43610a8d6150e4097f5df3838ab1d485933739c36688a719bf3d78c36
SSDEEP

1536:zvsva71+WE0bxOQA8AkqUhMb2nuy5wgIP0CSJ+5yVmB8GMGlZ5G:zv1/rEGdqU7uy5w9WMygN5G

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3048	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
3012	cmd.exe
3012	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8cd4381495b9c77954ada7cb26a9e0b0N.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 3012	1772	8cd4381495b9c77954ada7cb26a9e0b0N.exe	31
PID 1772 wrote to memory of 3012	1772	8cd4381495b9c77954ada7cb26a9e0b0N.exe	31
PID 1772 wrote to memory of 3012	1772	8cd4381495b9c77954ada7cb26a9e0b0N.exe	31
PID 1772 wrote to memory of 3012	1772	8cd4381495b9c77954ada7cb26a9e0b0N.exe	31
PID 3012 wrote to memory of 3048	3012	cmd.exe	32
PID 3012 wrote to memory of 3048	3012	cmd.exe	32
PID 3012 wrote to memory of 3048	3012	cmd.exe	32
PID 3012 wrote to memory of 3048	3012	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\8cd4381495b9c77954ada7cb26a9e0b0N.exe
"C:\Users\Admin\AppData\Local\Temp\8cd4381495b9c77954ada7cb26a9e0b0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
79KB

MD5
0265f8a02e12313324f6ff4a3ae54722

SHA1
58ff0937a37b34c017b8bdf8f6abe293e04c28d9

SHA256
be8063043816c6d91fcdb52d8cb701ba255a36257dc1e7be81b820e735a8226d

SHA512
4f5bc87d83029c09d2359e43a52f8d40ef5ba4067d545bc3347f97082d44268d380d359327b7b19ec0fa073ff55c8757d44b4cae7af29b0b79f70ae531a3e1be

Download Submit
memory/1772-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-7-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download