1ce64c9e8e9808db8cd6b3bf2c44f59396afb91e286422ad8eb30ad28a5ad6ff

Analysis

max time kernel
19s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14-08-2024 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6df2daf4d4d523d9e737e64295c36020N.exe
Size

333KB
MD5

6df2daf4d4d523d9e737e64295c36020
SHA1

86b229748ec287c25df78310006987e1eb4cacfb
SHA256

1ce64c9e8e9808db8cd6b3bf2c44f59396afb91e286422ad8eb30ad28a5ad6ff
SHA512

7b0d1aff5f482aae3e2c546431e99414fe83f74c9d90df4ffd0fe6f8343ef1c45344227e2e491951e03b8387505de171fe575de38b3b5cb023650929ae0a0b75
SSDEEP

6144:VJhsm/ZnsdcHuNECcYvs06AidwEC9yy6atBWONLRIaUOkKr:VJh3Hu870pEC97trIahP

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2024	6df2daf4d4d523d9e737e64295c36020N.exe

Executes dropped EXE 1 IoCs

pid	Process
2024	6df2daf4d4d523d9e737e64295c36020N.exe

Loads dropped DLL 1 IoCs

pid	Process
2292	6df2daf4d4d523d9e737e64295c36020N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6df2daf4d4d523d9e737e64295c36020N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2292	6df2daf4d4d523d9e737e64295c36020N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2024	6df2daf4d4d523d9e737e64295c36020N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2024	2292	6df2daf4d4d523d9e737e64295c36020N.exe	29
PID 2292 wrote to memory of 2024	2292	6df2daf4d4d523d9e737e64295c36020N.exe	29
PID 2292 wrote to memory of 2024	2292	6df2daf4d4d523d9e737e64295c36020N.exe	29
PID 2292 wrote to memory of 2024	2292	6df2daf4d4d523d9e737e64295c36020N.exe	29

C:\Users\Admin\AppData\Local\Temp\6df2daf4d4d523d9e737e64295c36020N.exe
"C:\Users\Admin\AppData\Local\Temp\6df2daf4d4d523d9e737e64295c36020N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\6df2daf4d4d523d9e737e64295c36020N.exe
  C:\Users\Admin\AppData\Local\Temp\6df2daf4d4d523d9e737e64295c36020N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\6df2daf4d4d523d9e737e64295c36020N.exe

Filesize
333KB

MD5
d8ffc48a75b5186881f0aea502c5f4c7

SHA1
c094a6b0b104a70d583fb93d6e8bd5e2171ea0eb

SHA256
406bd572526a010b9df57a7b3320cd6d50d8d720cadcfd8d56ed5d4f7ae24084

SHA512
90947730d0fb37ccfccac76e24e35f4a1eceab38674722e04320083b7e7e24df448d77de091db6e0ef18b748309c90045b4e95aadc8c59a541f2f1438c21b998

Download Submit
memory/2024-13-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2024-17-0x0000000000130000-0x0000000000168000-memory.dmp

Filesize
224KB

Download
memory/2292-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2292-6-0x0000000000130000-0x0000000000168000-memory.dmp

Filesize
224KB

Download
memory/2292-11-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download