31eaf59cea3e2333e16ee808800b20c9a28a4db51f73fbf786ca2255b1cd200b

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 15:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2b291d24bb315b4e0fef22878c600a70N.exe
Size

7.0MB
MD5

2b291d24bb315b4e0fef22878c600a70
SHA1

799af54e1dbdab3565e8a6d8f54c1b29bf1a4638
SHA256

31eaf59cea3e2333e16ee808800b20c9a28a4db51f73fbf786ca2255b1cd200b
SHA512

ed0932ecf77cd6c7e34e7b919ba43af008f259632176312b702edc3a90391b044b130cfdcfc97c602b40631ec683ef17e698ccbb77950906875a5ac942817ca5
SSDEEP

98304:emhd1Uryeoyt6zLV3bFSmrGoZ2amHV7wQqZUha5jtSyZIUbn:elI9rSsGytmH2QbaZtliK

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1980	B654.tmp

Executes dropped EXE 1 IoCs

pid	Process
1980	B654.tmp

Loads dropped DLL 2 IoCs

pid	Process
1928	2b291d24bb315b4e0fef22878c600a70N.exe
1928	2b291d24bb315b4e0fef22878c600a70N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b291d24bb315b4e0fef22878c600a70N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1980	1928	2b291d24bb315b4e0fef22878c600a70N.exe	30
PID 1928 wrote to memory of 1980	1928	2b291d24bb315b4e0fef22878c600a70N.exe	30
PID 1928 wrote to memory of 1980	1928	2b291d24bb315b4e0fef22878c600a70N.exe	30
PID 1928 wrote to memory of 1980	1928	2b291d24bb315b4e0fef22878c600a70N.exe	30

C:\Users\Admin\AppData\Local\Temp\2b291d24bb315b4e0fef22878c600a70N.exe
"C:\Users\Admin\AppData\Local\Temp\2b291d24bb315b4e0fef22878c600a70N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\B654.tmp
  "C:\Users\Admin\AppData\Local\Temp\B654.tmp" --splashC:\Users\Admin\AppData\Local\Temp\2b291d24bb315b4e0fef22878c600a70N.exe FFE43EB1C7B5E28F1BBB0CA422F336BB7A3370B4630819EE875C2C2CCA58928A15AFFE9D83798DC638D843FCE155D2DA1F89D36D10592CAB26593C960752F92A
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\B654.tmp

Filesize
7.0MB

MD5
4f763ad9add41bb9c5eb27645c4073e2

SHA1
7a1407bd515be13ad23225848baf824340eea733

SHA256
241d06609e465d2321b144d1098b32bfa3d98ad5f37adcb824ac93ba8a6352e3

SHA512
823cd56726c4d3f391886334e5f6e92c0baea958f6636d864835606e20014f40c584728b1d7b8c08585def6032f06524869d61af23b095a23ecd9b5ff7f49e2d

Download Submit
memory/1928-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/1980-9-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download