168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe
Size

7.0MB
MD5

9f45622774c7d19b96b520b37dc56055
SHA1

b33b3bf504155b47efa9a9f44dff88c2df03a6d2
SHA256

168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9
SHA512

f60523676f18ee42633fce9e40dd3e4ff8d2b1f855a9016c0c20023491424aa091a538022a938fba43ef7935c24d3384e8b7a713427ba71f0ae3ae206409defc
SSDEEP

98304:emhd1Uryey4MhYILo/erQMLeZrDV7wQqZUha5jtSyZIUbn:elfm8V92QbaZtliK

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2708	4605.tmp

Executes dropped EXE 1 IoCs

pid	Process
2708	4605.tmp

Loads dropped DLL 2 IoCs

pid	Process
1188	168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe
1188	168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 2708	1188	168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe	30
PID 1188 wrote to memory of 2708	1188	168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe	30
PID 1188 wrote to memory of 2708	1188	168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe	30
PID 1188 wrote to memory of 2708	1188	168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe	30

C:\Users\Admin\AppData\Local\Temp\168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe
"C:\Users\Admin\AppData\Local\Temp\168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\4605.tmp
  "C:\Users\Admin\AppData\Local\Temp\4605.tmp" --splashC:\Users\Admin\AppData\Local\Temp\168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe 82653F392A0BF0907BA5AD2C0E0EFE14FAB88555882A6CCF547097527FA75D8DCD7B3A8B078DB616D247D423CFFA95C2712B0C17CE00EB7B56C55A810FD69BD2
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\4605.tmp

Filesize
7.0MB

MD5
8ad3a68c5bc6ab93496f2139d575ff64

SHA1
8d832b9cb2199dcc8efc11dde9cd7fe284577b56

SHA256
05609b427ea777a7b3ed6ede02b937d68ae13dacc434ba0ed046d63c8be448bd

SHA512
5b679f1584cd13c5eb0af34a9a06a6f2370daaaf13de526197e516e5596185e35f69aad27c2d6114370e6b864dfc2233401bf175fe17b0fa696bfd4c8612ea0d

Download Submit
memory/1188-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/2708-9-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download