fdbc0e391f0d629808b450ceef6abd97a0e573d74542b6c8b0dc43cd125fb44b

Analysis

max time kernel
21s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03/08/2024, 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34e0753e119558c8aad1449cd4926370N.exe
Size

202KB
MD5

34e0753e119558c8aad1449cd4926370
SHA1

bc090098e464a7d93b4da67570d4c06a36339541
SHA256

fdbc0e391f0d629808b450ceef6abd97a0e573d74542b6c8b0dc43cd125fb44b
SHA512

d17902a0d5228f8b708ede154eb3a701a0260f6cbb9c80b2924ccdcf98f75f8018f54bcb9a3ca4efc71cee65baf4e0d03c4a3e7ed2e3f5eb24497813e7274cf1
SSDEEP

6144:QrPVrrlUIHL6j+dAe6c52y16E1Pic7IL8eXrP:QLVrr16idoc5Tx9P728eXrP

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2328	34e0753e119558c8aad1449cd4926370N.exe

Executes dropped EXE 1 IoCs

pid	Process
2328	34e0753e119558c8aad1449cd4926370N.exe

Loads dropped DLL 1 IoCs

pid	Process
2560	34e0753e119558c8aad1449cd4926370N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34e0753e119558c8aad1449cd4926370N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2560	34e0753e119558c8aad1449cd4926370N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2328	34e0753e119558c8aad1449cd4926370N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2328	2560	34e0753e119558c8aad1449cd4926370N.exe	31
PID 2560 wrote to memory of 2328	2560	34e0753e119558c8aad1449cd4926370N.exe	31
PID 2560 wrote to memory of 2328	2560	34e0753e119558c8aad1449cd4926370N.exe	31
PID 2560 wrote to memory of 2328	2560	34e0753e119558c8aad1449cd4926370N.exe	31

C:\Users\Admin\AppData\Local\Temp\34e0753e119558c8aad1449cd4926370N.exe
"C:\Users\Admin\AppData\Local\Temp\34e0753e119558c8aad1449cd4926370N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\Local\Temp\34e0753e119558c8aad1449cd4926370N.exe
  C:\Users\Admin\AppData\Local\Temp\34e0753e119558c8aad1449cd4926370N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\34e0753e119558c8aad1449cd4926370N.exe

Filesize
202KB

MD5
7aaf0f2177c97a2217114de4b3861239

SHA1
e98f6178346c65b624136c89d351c46b513a83c5

SHA256
3babb6fb4f661970e3a8b0d26f2e79b6e5e1d849875e19d0d4a0c2ae71a60a6b

SHA512
e6e4c3f5afb8de582a580b000460bfc51ce91ee613ac030cb7908ce78c950829bd1cb7ca79197340923ed28e5e2a3124b7ae8a0af745c771240a0100327aa5df

Download Submit
memory/2328-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2328-16-0x0000000000210000-0x000000000024E000-memory.dmp

Filesize
248KB

Download
memory/2328-11-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2328-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2560-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2560-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download