Analysis
-
max time kernel
141s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 06:10
Static task
static1
Behavioral task
behavioral1
Sample
Trojan_Remover_V6.9.6.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Trojan_Remover_V6.9.6.exe
Resource
win10v2004-20240802-en
General
-
Target
Trojan_Remover_V6.9.6.exe
-
Size
20.9MB
-
MD5
b99984ad78f818d34c5ed599d312a2e1
-
SHA1
893ffbaf835653ed197fccb8c756ad21a679a081
-
SHA256
f7f8880582210c104511885f52112ef6bb8977775dd3e3343c62e6d9e196f3e8
-
SHA512
ff293cf4757232a786e17e0bf825bed6325e6b713477381ad849379d3bb7d18ef1b33ffaefda766f1296809f15092a6bc2970cb5d860dbf23ad8c731814ab271
-
SSDEEP
393216:dYm0BJS9+7GOq1GHZhOZjHlHAoYJ/fpQwa83E0vZkLB2oXJp5hT3MaVm+y:+M+t+IbOZHlgB/fpWmEwZkLMw38x+y
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3292 Trojan_Remover_V6.9.6.tmp -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan_Remover_V6.9.6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan_Remover_V6.9.6.tmp -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 888 wrote to memory of 3292 888 Trojan_Remover_V6.9.6.exe 87 PID 888 wrote to memory of 3292 888 Trojan_Remover_V6.9.6.exe 87 PID 888 wrote to memory of 3292 888 Trojan_Remover_V6.9.6.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan_Remover_V6.9.6.exe"C:\Users\Admin\AppData\Local\Temp\Trojan_Remover_V6.9.6.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Users\Admin\AppData\Local\Temp\is-NVGQF.tmp\Trojan_Remover_V6.9.6.tmp"C:\Users\Admin\AppData\Local\Temp\is-NVGQF.tmp\Trojan_Remover_V6.9.6.tmp" /SL5="$50280,20691785,1103872,C:\Users\Admin\AppData\Local\Temp\Trojan_Remover_V6.9.6.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3292
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.3MB
MD55eca6b6cd4733323140d8e32cb484355
SHA175401d7c0e0f1bc14be20da23787785dbb01e7b2
SHA256f6861456cacb82a1a999c1233fe67408e8eb25e3c5ed08a516111c9225143e72
SHA5129910f01b32c65f1fe1f7c3a1eaecd8550a6a229475cbec2090e5524d6f1ac632d0710fa9e9e462ba8538ed1cf67a033f13d2baa500954a08edbda3058a743ce4