52c15fa91d8c594a714ec42739549e8e159d30a39be47c2f47a10ad027bbeec6

Analysis

max time kernel
10s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16/08/2024, 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d9d4705d943f69e70ceae2b83c643c0N.exe
Size

448KB
MD5

4d9d4705d943f69e70ceae2b83c643c0
SHA1

78cf04c90e60d01b2720aa08b63fbc6d7964b703
SHA256

52c15fa91d8c594a714ec42739549e8e159d30a39be47c2f47a10ad027bbeec6
SHA512

02ac96341e15d0e6a2da749f07f3832f0980a999714df78286fede5a11f0c76d440c8a8daf0b4f3844a444af57dd60e9f9adc23ab9a374624be0f2b3fa3b7a9a
SSDEEP

6144:3sBXDK3jWZ9DSnR+731eWTavE3KI4UWhV40saiigCD4H2cHwXWNzDw:3sV+3qTleURZPWhVQ5zCD4TyWN4

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2164	4d9d4705d943f69e70ceae2b83c643c0N.exe

Executes dropped EXE 1 IoCs

pid	Process
2164	4d9d4705d943f69e70ceae2b83c643c0N.exe

Loads dropped DLL 1 IoCs

pid	Process
2884	4d9d4705d943f69e70ceae2b83c643c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d9d4705d943f69e70ceae2b83c643c0N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2884	4d9d4705d943f69e70ceae2b83c643c0N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2164	4d9d4705d943f69e70ceae2b83c643c0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2164	2884	4d9d4705d943f69e70ceae2b83c643c0N.exe	30
PID 2884 wrote to memory of 2164	2884	4d9d4705d943f69e70ceae2b83c643c0N.exe	30
PID 2884 wrote to memory of 2164	2884	4d9d4705d943f69e70ceae2b83c643c0N.exe	30
PID 2884 wrote to memory of 2164	2884	4d9d4705d943f69e70ceae2b83c643c0N.exe	30

C:\Users\Admin\AppData\Local\Temp\4d9d4705d943f69e70ceae2b83c643c0N.exe
"C:\Users\Admin\AppData\Local\Temp\4d9d4705d943f69e70ceae2b83c643c0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\4d9d4705d943f69e70ceae2b83c643c0N.exe
  C:\Users\Admin\AppData\Local\Temp\4d9d4705d943f69e70ceae2b83c643c0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\4d9d4705d943f69e70ceae2b83c643c0N.exe

Filesize
448KB

MD5
f9c41a052a1cf5db7d88b2c87ab9ba62

SHA1
e73fbe6c2729cbc95984cda04a83622b0f087544

SHA256
aff56c7e0852283be0f58411445a8a0067318a4c99b22db24ef6505fa9886112

SHA512
cf74864a8adeacfc9e9cdb90a07901c3d407494c1a846c460a5730807706cf5e0b0558282d2dfe3af03bdb151c860e6dec2d54419b83a728f3b05b181f0b1cf3

Download Submit
memory/2164-11-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2164-12-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2164-17-0x0000000000380000-0x00000000003C6000-memory.dmp

Filesize
280KB

Download
memory/2164-18-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2884-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2884-10-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2884-6-0x0000000000130000-0x0000000000176000-memory.dmp

Filesize
280KB

Download