17c62bc41a822f5dd58927d24d3324250c35460ee2f6be1f8df451754e252152

Analysis

max time kernel
80s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 12:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

74e0f8a50075882064c50b08e5e00d40N.exe
Size

209KB
MD5

74e0f8a50075882064c50b08e5e00d40
SHA1

c8c27df9ec18ed807361fa89af7731534cc6f09f
SHA256

17c62bc41a822f5dd58927d24d3324250c35460ee2f6be1f8df451754e252152
SHA512

1a1a0cc0646d22208a059226197f0e8a72c15c3c596f04245f65b31d0307d4bea17e543b9b31f39c898f6a98cc831fb07a855ce4d6ddb4cafdf2e496161f291c
SSDEEP

3072:wfuFC5KKpprXuX+nawmEz5uhSro5Q06xAYdj66tYy/9wMuPfCuWefXZV+s:xfX+nawX5z85XYk6igXuXtfXp

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1552	74e0f8a50075882064c50b08e5e00d40N.exe

Executes dropped EXE 1 IoCs

pid	Process
1552	74e0f8a50075882064c50b08e5e00d40N.exe

Loads dropped DLL 1 IoCs

pid	Process
1472	74e0f8a50075882064c50b08e5e00d40N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74e0f8a50075882064c50b08e5e00d40N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1472	74e0f8a50075882064c50b08e5e00d40N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1552	74e0f8a50075882064c50b08e5e00d40N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 1552	1472	74e0f8a50075882064c50b08e5e00d40N.exe	31
PID 1472 wrote to memory of 1552	1472	74e0f8a50075882064c50b08e5e00d40N.exe	31
PID 1472 wrote to memory of 1552	1472	74e0f8a50075882064c50b08e5e00d40N.exe	31
PID 1472 wrote to memory of 1552	1472	74e0f8a50075882064c50b08e5e00d40N.exe	31

C:\Users\Admin\AppData\Local\Temp\74e0f8a50075882064c50b08e5e00d40N.exe
"C:\Users\Admin\AppData\Local\Temp\74e0f8a50075882064c50b08e5e00d40N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Local\Temp\74e0f8a50075882064c50b08e5e00d40N.exe
  C:\Users\Admin\AppData\Local\Temp\74e0f8a50075882064c50b08e5e00d40N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\74e0f8a50075882064c50b08e5e00d40N.exe

Filesize
209KB

MD5
b56764e3a377f3b9b845cd9a3af50527

SHA1
227ade7bcf58700badd98b6e9acea25ee0382b7d

SHA256
ede77a6af9550528ccdee6a1dc726244c4bcced40540f590b35feb1c1b776e90

SHA512
5e410b39e9e12009d8dc1a716e8860816783b722d971b5546264c0a2b7b92ad5350dbbe7a0e4f4070b15375b5b18b537f334efc9a173d7d5a49d1fd22f49f9ba

Download Submit
memory/1472-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1472-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1552-11-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1552-10-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1552-16-0x0000000000210000-0x0000000000250000-memory.dmp

Filesize
256KB

Download
memory/1552-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download