71c90358fbe89f31e48ed3256da850d81dc28ffbfabf1d5118853166f3c97444

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71c90358fbe89f31e48ed3256da850d81dc28ffbfabf1d5118853166f3c97444.exe
Size

73KB
MD5

854edf3fec36c85e8927c2885f1ba99d
SHA1

eb64395e88074638ededf5050a94d4b664089660
SHA256

71c90358fbe89f31e48ed3256da850d81dc28ffbfabf1d5118853166f3c97444
SHA512

65d96c45888ebfb0ab8097cc8b1694e25773626e8eafb1423fc262c0a508877f4d33bf80870faedc28c36a69c0509e00654cceb13d5ded38a78793fb77534120
SSDEEP

1536:hbXzeDY4a/DcK5QPqfhVWbdsmA+RjPFLC+e5h+0ZGUGf2g:hDzeDMcNPqfcxA+HFsh+Og

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2420	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
2220	cmd.exe
2220	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	71c90358fbe89f31e48ed3256da850d81dc28ffbfabf1d5118853166f3c97444.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 2220	1040	71c90358fbe89f31e48ed3256da850d81dc28ffbfabf1d5118853166f3c97444.exe	31
PID 1040 wrote to memory of 2220	1040	71c90358fbe89f31e48ed3256da850d81dc28ffbfabf1d5118853166f3c97444.exe	31
PID 1040 wrote to memory of 2220	1040	71c90358fbe89f31e48ed3256da850d81dc28ffbfabf1d5118853166f3c97444.exe	31
PID 1040 wrote to memory of 2220	1040	71c90358fbe89f31e48ed3256da850d81dc28ffbfabf1d5118853166f3c97444.exe	31
PID 2220 wrote to memory of 2420	2220	cmd.exe	32
PID 2220 wrote to memory of 2420	2220	cmd.exe	32
PID 2220 wrote to memory of 2420	2220	cmd.exe	32
PID 2220 wrote to memory of 2420	2220	cmd.exe	32
PID 2420 wrote to memory of 1692	2420	[email protected]	33
PID 2420 wrote to memory of 1692	2420	[email protected]	33
PID 2420 wrote to memory of 1692	2420	[email protected]	33
PID 2420 wrote to memory of 1692	2420	[email protected]	33

C:\Users\Admin\AppData\Local\Temp\71c90358fbe89f31e48ed3256da850d81dc28ffbfabf1d5118853166f3c97444.exe
"C:\Users\Admin\AppData\Local\Temp\71c90358fbe89f31e48ed3256da850d81dc28ffbfabf1d5118853166f3c97444.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 00.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
6a15f931471bbb6cff915c6185f086cb

SHA1
80f2679b2ced214b50dbef65a16f0afb5172105d

SHA256
03655d68af755c395d5d3a5b7e096db66072d855123ecec5b1f0b84e5db06d99

SHA512
29ea65cf5e29fd5c4b9a175d1ecd8c4c4063791e2747d3b6a00e8ea8203ad24d44c959d0a3a214b021bb78caf882e55aaf824d655249d752075a04c20face8d0

Download Submit
memory/1040-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2420-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download