07c2fb4fb2afe94a96a5df90e7315dd2361aed5ba6956af09d2ec090c4963b6d

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
16-08-2024 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59939e932d9a1444570f03e9357ca7f0N.exe
Size

6.0MB
MD5

59939e932d9a1444570f03e9357ca7f0
SHA1

dcbb0cc5e577d986b95ae4362343ed5ed70e6f68
SHA256

07c2fb4fb2afe94a96a5df90e7315dd2361aed5ba6956af09d2ec090c4963b6d
SHA512

2d47eb2b474f541f952e53f5af5e16b92c5b6e1e024177bee87f65c604348ae57f22615f7273479cd1e1a4b5d251163b14ba20f7a90f957778b2fb82fcaf9a93
SSDEEP

98304:emhd1UryenF+r6sVUBcDEaG3V7wQqZUha5jtSyZIUS:ella6sVUcEa+2QbaZtlir

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2540	AF71.tmp

Executes dropped EXE 1 IoCs

pid	Process
2540	AF71.tmp

Loads dropped DLL 2 IoCs

pid	Process
2528	59939e932d9a1444570f03e9357ca7f0N.exe
2528	59939e932d9a1444570f03e9357ca7f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59939e932d9a1444570f03e9357ca7f0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2540	2528	59939e932d9a1444570f03e9357ca7f0N.exe	30
PID 2528 wrote to memory of 2540	2528	59939e932d9a1444570f03e9357ca7f0N.exe	30
PID 2528 wrote to memory of 2540	2528	59939e932d9a1444570f03e9357ca7f0N.exe	30
PID 2528 wrote to memory of 2540	2528	59939e932d9a1444570f03e9357ca7f0N.exe	30

C:\Users\Admin\AppData\Local\Temp\59939e932d9a1444570f03e9357ca7f0N.exe
"C:\Users\Admin\AppData\Local\Temp\59939e932d9a1444570f03e9357ca7f0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\AF71.tmp
  "C:\Users\Admin\AppData\Local\Temp\AF71.tmp" --splashC:\Users\Admin\AppData\Local\Temp\59939e932d9a1444570f03e9357ca7f0N.exe 12CDB3594D9B1F01618FBDDE1B4C73DAEDEF713A9E6DF876BF2394C4599761495AECF28F83DFAF9DBA55F54F8F4A59235E479630059EF60EFC05FDE0718C342F
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AF71.tmp

Filesize
6.0MB

MD5
7d9df3c7f67f1e12ea75d2df1ff1d049

SHA1
1d511bf62b421518971dd352c61ae6d66263bed5

SHA256
43553aa9129ae82e63561d11afe9ff9734458f84dccc6c75ad7b9000096ea1ee

SHA512
29ac076c97e4a6fe97b8bc39899a622987da8315e167b1c5424659d2b00b465ccc2889aa79d852f2b5872238c544fa01d4e55472493a5855536363745ad8fb50

Download Submit
memory/2528-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/2540-9-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download