1265cf0189498d688061bed54c5df7bb6adb18266cc3bf56f6cea41674626532

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 01:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cd7071008417dc3918f9f4449a261ce0N.exe
Size

63KB
MD5

cd7071008417dc3918f9f4449a261ce0
SHA1

2eb4c7d2987337ce49f63ed6a8c3bfbaf42538be
SHA256

1265cf0189498d688061bed54c5df7bb6adb18266cc3bf56f6cea41674626532
SHA512

574b654e45ccebc822eb516743b6cc6518894504cbf0566c291c54d1c035a1107c910e5f24dcc2df0e83f5489635febf9b2b8db590d65dbe869d5cc786d4517d
SSDEEP

768:eFq/4qn0F1raGCI3FfeMLT++G31LSadk344524444/M5zQ/W1U:qk4e0VCI33T++C1uaeN6y4

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2256	edurss.exe

Loads dropped DLL 1 IoCs

pid	Process
2032	cd7071008417dc3918f9f4449a261ce0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd7071008417dc3918f9f4449a261ce0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edurss.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2256	2032	cd7071008417dc3918f9f4449a261ce0N.exe	30
PID 2032 wrote to memory of 2256	2032	cd7071008417dc3918f9f4449a261ce0N.exe	30
PID 2032 wrote to memory of 2256	2032	cd7071008417dc3918f9f4449a261ce0N.exe	30
PID 2032 wrote to memory of 2256	2032	cd7071008417dc3918f9f4449a261ce0N.exe	30

C:\Users\Admin\AppData\Local\Temp\cd7071008417dc3918f9f4449a261ce0N.exe
"C:\Users\Admin\AppData\Local\Temp\cd7071008417dc3918f9f4449a261ce0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\edurss.exe
  "C:\Users\Admin\AppData\Local\Temp\edurss.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\edurss.exe

Filesize
63KB

MD5
ca678071167439c4bd4047798b417970

SHA1
7855f8cac971330e0a11d10fb283bc435027c070

SHA256
f5a631b226ad969a4269cafa75ced3d53bbbde8f0f43962583ceed0d90cfb2df

SHA512
3196d628ef8725bdf38b113bd7e0cdefff41f368df5b9a4267b14856bb80920cbe528906ed6e86055cd67081082e2e1536fee73d0c82d6ef510ebec562b5351b

Download Submit
memory/2032-1-0x0000000004000000-0x0000000004005000-memory.dmp

Filesize
20KB

Download
memory/2032-0-0x0000000004000000-0x0000000004005000-memory.dmp

Filesize
20KB

Download
memory/2032-3-0x0000000004000000-0x0000000004005000-memory.dmp

Filesize
20KB

Download