Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
19/08/2024, 06:03
Static task
static1
Behavioral task
behavioral1
Sample
9a5421854850d3e5bd213b6905333e70N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
9a5421854850d3e5bd213b6905333e70N.exe
Resource
win10v2004-20240802-en
General
-
Target
9a5421854850d3e5bd213b6905333e70N.exe
-
Size
4.2MB
-
MD5
9a5421854850d3e5bd213b6905333e70
-
SHA1
1ba82fbde3f6749707adb4241d97f45b94c8ba9a
-
SHA256
7fbcb0b1127df303f5dfcf9c7f1b4e24daea2273d7312b2e82b0b7ca86f12ed5
-
SHA512
a262803af481665b57369cfb04882dc691e24404d40c3e7e405bfbea01c96d5b634e5d6026f772d42103e2e7b22574bae7d51ddd5fe29e2cc8bdd94830dcfbc9
-
SSDEEP
98304:Cmhd1UryeKw57V0WBkjqpz0HmbVLUjH5oxFbxhVLUjH5oxFbx:ClhBqc0MombVUjZEdhVUjZEd
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2384 9D29.tmp -
Executes dropped EXE 1 IoCs
pid Process 2384 9D29.tmp -
Loads dropped DLL 2 IoCs
pid Process 2444 9a5421854850d3e5bd213b6905333e70N.exe 2444 9a5421854850d3e5bd213b6905333e70N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9a5421854850d3e5bd213b6905333e70N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2444 wrote to memory of 2384 2444 9a5421854850d3e5bd213b6905333e70N.exe 30 PID 2444 wrote to memory of 2384 2444 9a5421854850d3e5bd213b6905333e70N.exe 30 PID 2444 wrote to memory of 2384 2444 9a5421854850d3e5bd213b6905333e70N.exe 30 PID 2444 wrote to memory of 2384 2444 9a5421854850d3e5bd213b6905333e70N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a5421854850d3e5bd213b6905333e70N.exe"C:\Users\Admin\AppData\Local\Temp\9a5421854850d3e5bd213b6905333e70N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\9D29.tmp"C:\Users\Admin\AppData\Local\Temp\9D29.tmp" --splashC:\Users\Admin\AppData\Local\Temp\9a5421854850d3e5bd213b6905333e70N.exe 357BD12A70C0CC148088C34A0DC2BE9B5B693784C4598055C98EFBB8DE8788A7DD6CCB66308D8BF849C877069F0E92A49320F9BBF0C71C23E47F468D927ED9492⤵
- Deletes itself
- Executes dropped EXE
PID:2384
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD52a4b995f4e7c19c278d531ddc0954a8c
SHA16a62da0ba87b692600dacc87e763d69b1f4644ac
SHA25616e729b32da66ae9cc4fe78d2270a784e46b777dd84cd2e01ad84fd75c64bb17
SHA512f51d2cad89e0f6e38989fe0e0d057e1e0458ccdf61c3e7bf152b3cf1de6c3477a2f66be4399f08e8c54e370fab507bc2a7aae41007397b80b940a49d0cb22ecf