f7f8880582210c104511885f52112ef6bb8977775dd3e3343c62e6d9e196f3e8

Analysis

max time kernel
141s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan_Remover_V6.9.6.exe
Size

20.9MB
MD5

b99984ad78f818d34c5ed599d312a2e1
SHA1

893ffbaf835653ed197fccb8c756ad21a679a081
SHA256

f7f8880582210c104511885f52112ef6bb8977775dd3e3343c62e6d9e196f3e8
SHA512

ff293cf4757232a786e17e0bf825bed6325e6b713477381ad849379d3bb7d18ef1b33ffaefda766f1296809f15092a6bc2970cb5d860dbf23ad8c731814ab271
SSDEEP

393216:dYm0BJS9+7GOq1GHZhOZjHlHAoYJ/fpQwa83E0vZkLB2oXJp5hT3MaVm+y:+M+t+IbOZHlgB/fpWmEwZkLMw38x+y

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3292	Trojan_Remover_V6.9.6.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan_Remover_V6.9.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan_Remover_V6.9.6.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 3292	888	Trojan_Remover_V6.9.6.exe	87
PID 888 wrote to memory of 3292	888	Trojan_Remover_V6.9.6.exe	87
PID 888 wrote to memory of 3292	888	Trojan_Remover_V6.9.6.exe	87

C:\Users\Admin\AppData\Local\Temp\Trojan_Remover_V6.9.6.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan_Remover_V6.9.6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:888
- C:\Users\Admin\AppData\Local\Temp\is-NVGQF.tmp\Trojan_Remover_V6.9.6.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NVGQF.tmp\Trojan_Remover_V6.9.6.tmp" /SL5="$50280,20691785,1103872,C:\Users\Admin\AppData\Local\Temp\Trojan_Remover_V6.9.6.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-NVGQF.tmp\Trojan_Remover_V6.9.6.tmp

Filesize
3.3MB

MD5
5eca6b6cd4733323140d8e32cb484355

SHA1
75401d7c0e0f1bc14be20da23787785dbb01e7b2

SHA256
f6861456cacb82a1a999c1233fe67408e8eb25e3c5ed08a516111c9225143e72

SHA512
9910f01b32c65f1fe1f7c3a1eaecd8550a6a229475cbec2090e5524d6f1ac632d0710fa9e9e462ba8538ed1cf67a033f13d2baa500954a08edbda3058a743ce4

Download Submit
memory/888-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/888-0-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/888-8-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/3292-6-0x0000000000400000-0x000000000074F000-memory.dmp

Filesize
3.3MB

Download
memory/3292-10-0x0000000000400000-0x000000000074F000-memory.dmp

Filesize
3.3MB

Download