90077ab6d231e7e6fcf1a59c26172d778d1816ba2b74cd5682061af38f7bb4dd

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 07:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

09da7e6cd95f0f01b7ee7954f283a630N.exe
Size

24KB
MD5

09da7e6cd95f0f01b7ee7954f283a630
SHA1

ba73fc0fa30377d4c94c9e19cb913244cd51ed74
SHA256

90077ab6d231e7e6fcf1a59c26172d778d1816ba2b74cd5682061af38f7bb4dd
SHA512

9572bee7c4ce2d4c8f021a085c556f4911b356fb5434c1fafab2512fed37f42fe98c44b1bf64bc6674f37ba29c0fb4dfe9aadbcdd3122167532ca0d624686d1a
SSDEEP

384:CV6wM2h3ln/3m0p/Qhlg8dgQBY8hrBpj6480BpcDKA:Q6K7fJKFiQTrLjdT2v

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2160	quity.exe

Loads dropped DLL 1 IoCs

pid	Process
2540	09da7e6cd95f0f01b7ee7954f283a630N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09da7e6cd95f0f01b7ee7954f283a630N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quity.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2540	09da7e6cd95f0f01b7ee7954f283a630N.exe
2160	quity.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2160	2540	09da7e6cd95f0f01b7ee7954f283a630N.exe	30
PID 2540 wrote to memory of 2160	2540	09da7e6cd95f0f01b7ee7954f283a630N.exe	30
PID 2540 wrote to memory of 2160	2540	09da7e6cd95f0f01b7ee7954f283a630N.exe	30
PID 2540 wrote to memory of 2160	2540	09da7e6cd95f0f01b7ee7954f283a630N.exe	30

C:\Users\Admin\AppData\Local\Temp\09da7e6cd95f0f01b7ee7954f283a630N.exe
"C:\Users\Admin\AppData\Local\Temp\09da7e6cd95f0f01b7ee7954f283a630N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Local\Temp\quity.exe
  "C:\Users\Admin\AppData\Local\Temp\quity.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\quity.exe

Filesize
24KB

MD5
fa1a8bb0cfb5a7be5e962c24e81537f8

SHA1
a5f0e86c9d94e81c3c41e3683806881c845cba3f

SHA256
dd78f304745b7da032b9819795a395def588f8d200549565fc07f64f627cfbbc

SHA512
d34f0febaacce16f1571bf02ea133122d541ae5f592cc5df83f27b1f57aef0f97bf64a1c09be81c2825bf9d9bd53c0424e0741c3a4837d61dda82601336212d7

Download Submit
memory/2160-23-0x00000000003B0000-0x00000000003B6000-memory.dmp

Filesize
24KB

Download
memory/2540-8-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/2540-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2540-0-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download