61b685e4deba1c88a4c2325388156b3431c0173cf4960e429af309b0afba6306

Analysis

max time kernel
149s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09/08/2024, 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61b685e4deba1c88a4c2325388156b3431c0173cf4960e429af309b0afba6306.exe
Size

91KB
MD5

5427b4b7c170c833d5b066b27d580267
SHA1

be24d5dc8d71e03bfae1f332a2aa2cbc2d83ad45
SHA256

61b685e4deba1c88a4c2325388156b3431c0173cf4960e429af309b0afba6306
SHA512

7aef5666b648d847678a5bc5f88409a250dfe5e7a7fef3c4593ae35d2e35e88039c50382da684abd318191194e36dad75801e90915632a874f8c876e092295fa
SSDEEP

1536:xhH5LPEQ6maSU+g6HKF02z5HKgeBGme9y494ySeCi6OkOp9:bhB6mI+N2sGmt494ySwlkO3

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1488	agtugoomú±¬±
572	agtugoomú±¬±

Loads dropped DLL 3 IoCs

pid	Process
2548	61b685e4deba1c88a4c2325388156b3431c0173cf4960e429af309b0afba6306.exe
2548	61b685e4deba1c88a4c2325388156b3431c0173cf4960e429af309b0afba6306.exe
1488	agtugoomú±¬±

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\agtugoomú±¬±	61b685e4deba1c88a4c2325388156b3431c0173cf4960e429af309b0afba6306.exe
File created	C:\WINDOWS\SysWOW64\agtugoomú±¬±	61b685e4deba1c88a4c2325388156b3431c0173cf4960e429af309b0afba6306.exe
File opened for modification	C:\Windows\SysWOW64\ebpeadec-icomú°¸¸	agtugoomú±¬±
File created	C:\Windows\SysWOW64\ebpeadec-icomú°¸¸	agtugoomú±¬±
File opened for modification	C:\WINDOWS\SysWOW64\agtugoomú±¬±	agtugoomú±¬±

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	agtugoomú±¬±
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61b685e4deba1c88a4c2325388156b3431c0173cf4960e429af309b0afba6306.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
572	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±
1488	agtugoomú±¬±

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1488	2548	61b685e4deba1c88a4c2325388156b3431c0173cf4960e429af309b0afba6306.exe	29
PID 2548 wrote to memory of 1488	2548	61b685e4deba1c88a4c2325388156b3431c0173cf4960e429af309b0afba6306.exe	29
PID 2548 wrote to memory of 1488	2548	61b685e4deba1c88a4c2325388156b3431c0173cf4960e429af309b0afba6306.exe	29
PID 2548 wrote to memory of 1488	2548	61b685e4deba1c88a4c2325388156b3431c0173cf4960e429af309b0afba6306.exe	29
PID 1488 wrote to memory of 572	1488	agtugoomú±¬±	30
PID 1488 wrote to memory of 572	1488	agtugoomú±¬±	30
PID 1488 wrote to memory of 572	1488	agtugoomú±¬±	30
PID 1488 wrote to memory of 572	1488	agtugoomú±¬±	30

C:\Users\Admin\AppData\Local\Temp\61b685e4deba1c88a4c2325388156b3431c0173cf4960e429af309b0afba6306.exe
"C:\Users\Admin\AppData\Local\Temp\61b685e4deba1c88a4c2325388156b3431c0173cf4960e429af309b0afba6306.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548
- C:\WINDOWS\SysWOW64\agtugoomú±¬±
  "C:\WINDOWS\SYSTEM32\agtugoomú±¬±"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\WINDOWS\SysWOW64\agtugoomú±¬±
    ùù¿çç¤
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\agtugoomú±¬±

Filesize
88KB

MD5
35ba913476f1803fb5ab4ab52a446d69

SHA1
d21ad4f69fe85ad88f9ac9eea3fb01036866e81b

SHA256
0c1ba7737b09b4f59304ae6fd386ec62d006d794f97285dfa9e156f1bc27152a

SHA512
2ebbca08d8b224de45ccda6c16852ecd0c780415c6468ed6f33641f4294a71f23fa466965fd1390f19bcd069991692ca57aa520847f7fb905d3cf76d7116f904

Download Submit
C:\Windows\SysWOW64\ebpeadec-icomú°¸¸

Filesize
5KB

MD5
48c45e05569f9a5665d082fbdc116c14

SHA1
e491ab1327b88312fc6d0535621b6de733c8efb5

SHA256
7e916f847bb5de3e09b36bd527e09ed656df13296bdcd9924185bcccde7dbe4c

SHA512
e1cc47e185831dc6c40372efc227f299964f262c641b790d31f0fe452a5bc70a4946c689913504c64790833c131d40c01fcd9ff3a148636be9f502959f7cc49c

Download Submit
memory/572-28-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1488-27-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2548-7-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download