7691a0d73b96b83201876c069fbc9b6360accaa29ba293c6703f7a696902daa9

Analysis

max time kernel
93s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
28/07/2024, 00:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7691a0d73b96b83201876c069fbc9b6360accaa29ba293c6703f7a696902daa9.exe
Size

5.4MB
MD5

9b3bce9cbe1ebf4b607e2e9c56a43429
SHA1

af15d8e36a9499fea9b943611a0858eaccdc5344
SHA256

7691a0d73b96b83201876c069fbc9b6360accaa29ba293c6703f7a696902daa9
SHA512

a1e3d1b21cd7f590c54fd48ef4d0d572297060a502fd80eec8e9c4dc610060908ae04c4b424a20c6a134d79e29dfcf124a9cb40b758b17b838185c49ba8442fe
SSDEEP

98304:emhd1UryeFXoKWw3L6SsLgkuV7wQqZUha5jtSyZIUh:el6KWU6Vgku2QbaZtliU

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3532	DE4A.tmp

Executes dropped EXE 1 IoCs

pid	Process
3532	DE4A.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7691a0d73b96b83201876c069fbc9b6360accaa29ba293c6703f7a696902daa9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DE4A.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 3532	4484	7691a0d73b96b83201876c069fbc9b6360accaa29ba293c6703f7a696902daa9.exe	87
PID 4484 wrote to memory of 3532	4484	7691a0d73b96b83201876c069fbc9b6360accaa29ba293c6703f7a696902daa9.exe	87
PID 4484 wrote to memory of 3532	4484	7691a0d73b96b83201876c069fbc9b6360accaa29ba293c6703f7a696902daa9.exe	87

C:\Users\Admin\AppData\Local\Temp\7691a0d73b96b83201876c069fbc9b6360accaa29ba293c6703f7a696902daa9.exe
"C:\Users\Admin\AppData\Local\Temp\7691a0d73b96b83201876c069fbc9b6360accaa29ba293c6703f7a696902daa9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Users\Admin\AppData\Local\Temp\DE4A.tmp
  "C:\Users\Admin\AppData\Local\Temp\DE4A.tmp" --splashC:\Users\Admin\AppData\Local\Temp\7691a0d73b96b83201876c069fbc9b6360accaa29ba293c6703f7a696902daa9.exe 5679711DCF697A6B95AF63113D61F9FF50FB3F527D8BA53135D958DF76D6C5EA4F250D2A87744CA1943EEFF5431F37289C7E965ADD9E6F087B682835514EF689
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DE4A.tmp

Filesize
5.4MB

MD5
19a245a6624bc8374e8df8743771b4e1

SHA1
80b5a4607b074cc497b6819dfd393fde6057c8f1

SHA256
641374f536aaf55561418952a7a6ba5d358eb553f2d579e438672027a5614637

SHA512
2db03e87d8a03ccc9a825589c84c025241724ef0502bc400348487933dacba3c223cb162efedbed404ba65e00dc88e71f240478d27ce6a87fe5df92bbf70b956

Download Submit
memory/3532-5-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/4484-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download