361356f9185004242942441921d8cabb98f497545409514d85db3c25d8584ec6

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a82b3180ee075e75ed704a06a05f5ff0N.exe
Size

194KB
MD5

a82b3180ee075e75ed704a06a05f5ff0
SHA1

79743ecc9b715575898e122422b16dfe6b437f5e
SHA256

361356f9185004242942441921d8cabb98f497545409514d85db3c25d8584ec6
SHA512

cb98c22f8e1eb9deb69ae173880ab898e12950c6add13e5be29259737fc19d81ccae838de68a74d5d1b6e46dcbaf29243639008ed74cd4df889d3add714e65aa
SSDEEP

3072:2UMTrOzktXOYlwTFf560MgH1kRY4sbQfJnSIET8ZXawu0U5q8Vc4qQZt:CTrOUOZ80MpYRbQfJuw

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3068	a82b3180ee075e75ed704a06a05f5ff0N.exe

Executes dropped EXE 1 IoCs

pid	Process
3068	a82b3180ee075e75ed704a06a05f5ff0N.exe

Loads dropped DLL 1 IoCs

pid	Process
2016	a82b3180ee075e75ed704a06a05f5ff0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b3180ee075e75ed704a06a05f5ff0N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2016	a82b3180ee075e75ed704a06a05f5ff0N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3068	a82b3180ee075e75ed704a06a05f5ff0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 3068	2016	a82b3180ee075e75ed704a06a05f5ff0N.exe	31
PID 2016 wrote to memory of 3068	2016	a82b3180ee075e75ed704a06a05f5ff0N.exe	31
PID 2016 wrote to memory of 3068	2016	a82b3180ee075e75ed704a06a05f5ff0N.exe	31
PID 2016 wrote to memory of 3068	2016	a82b3180ee075e75ed704a06a05f5ff0N.exe	31

C:\Users\Admin\AppData\Local\Temp\a82b3180ee075e75ed704a06a05f5ff0N.exe
"C:\Users\Admin\AppData\Local\Temp\a82b3180ee075e75ed704a06a05f5ff0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\a82b3180ee075e75ed704a06a05f5ff0N.exe
  C:\Users\Admin\AppData\Local\Temp\a82b3180ee075e75ed704a06a05f5ff0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a82b3180ee075e75ed704a06a05f5ff0N.exe

Filesize
194KB

MD5
decd1b0a4447fafe2975046c38f1740e

SHA1
0a79fd0083196b7b7ee463f784e2dd2c24c115c0

SHA256
4dd1e253724f30518165aa189637f60aecb8ee9e22ef968c32651c7db0ef5c9a

SHA512
d61576b47631070638da51b225c7e29214eb0afb269208870395d379d8fa0a47711bd095322e9d750186f301d8b1335656dc98ffd0ce04f418940378c2838685

Download Submit
memory/2016-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2016-9-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3068-12-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3068-17-0x0000000000300000-0x0000000000339000-memory.dmp

Filesize
228KB

Download
memory/3068-11-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3068-18-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download