a6063839433d518acd5f4089118ca50b7348356ca1d6675f4f5bddcd36a2fdd1

Analysis

max time kernel
79s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4232d9627a803e17b38b3a646de9920N.exe
Size

209KB
MD5

f4232d9627a803e17b38b3a646de9920
SHA1

464b36b891be50fad88081d570e43c9dcd9be444
SHA256

a6063839433d518acd5f4089118ca50b7348356ca1d6675f4f5bddcd36a2fdd1
SHA512

92971801c7754ff0e2141d8dd41f65c277585d9d2857d6583e898bdefe766bf28b0fe7fa806736137b4d200184a64ac6e51bf94c4e221124b1412397bc7a82ca
SSDEEP

6144:EhXMue9Nam9u6uwhXEIzPJoZp8QK5bzqwaiOLWVtfXp:EhXMue9cuu6uwZOpyEiZtfp

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2320	f4232d9627a803e17b38b3a646de9920N.exe

Executes dropped EXE 1 IoCs

pid	Process
2320	f4232d9627a803e17b38b3a646de9920N.exe

Loads dropped DLL 1 IoCs

pid	Process
2624	f4232d9627a803e17b38b3a646de9920N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4232d9627a803e17b38b3a646de9920N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2624	f4232d9627a803e17b38b3a646de9920N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2320	f4232d9627a803e17b38b3a646de9920N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2320	2624	f4232d9627a803e17b38b3a646de9920N.exe	32
PID 2624 wrote to memory of 2320	2624	f4232d9627a803e17b38b3a646de9920N.exe	32
PID 2624 wrote to memory of 2320	2624	f4232d9627a803e17b38b3a646de9920N.exe	32
PID 2624 wrote to memory of 2320	2624	f4232d9627a803e17b38b3a646de9920N.exe	32

C:\Users\Admin\AppData\Local\Temp\f4232d9627a803e17b38b3a646de9920N.exe
"C:\Users\Admin\AppData\Local\Temp\f4232d9627a803e17b38b3a646de9920N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Users\Admin\AppData\Local\Temp\f4232d9627a803e17b38b3a646de9920N.exe
  C:\Users\Admin\AppData\Local\Temp\f4232d9627a803e17b38b3a646de9920N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f4232d9627a803e17b38b3a646de9920N.exe

Filesize
209KB

MD5
fde3745d06a08060a243578cb2a3449c

SHA1
e369cf34fedd7fff4b4f618cf29045a1adab2c9f

SHA256
65c9b6ed6b9c823697181d9c579448c904e13ab01ffd0e4b8a78cb24f21134c6

SHA512
81fbe4202361dbce60607556318235c62655523fe5ad39627e3b53c1561efc088fc6cb1f4d519417d40367be7a6e4c44c159029f34824cf58e7f64bdcc663ee6

Download Submit
memory/2320-10-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2320-16-0x0000000000130000-0x0000000000170000-memory.dmp

Filesize
256KB

Download
memory/2320-11-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2320-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2624-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2624-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download