9916357dd0af2c505839631ebae9d26783f2c1d75dccf4d66e2e444fb2636afc

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ee9c2cc20e94bcdffe273cdf4b73c10N.exe
Size

1.9MB
MD5

4ee9c2cc20e94bcdffe273cdf4b73c10
SHA1

ed547d82a07c51e1d7e1135bbd1371a77281bc07
SHA256

9916357dd0af2c505839631ebae9d26783f2c1d75dccf4d66e2e444fb2636afc
SHA512

f88223fc1b9b24394113bab065c163c59870f7adee256b1dbf41d969d98ec6de31a23b10d13a1477f3e1a7b35f587e557ea873bd9094030242442259b25cff98
SSDEEP

24576:N2oo60HPdt+1CRiY2eOBvcj3u10dAMHVYrbFquCKKG+TUpJ8qSLl4vmgm856C5uh:Qoa1taC070dD4wIjGC5SxLgm3Xo4Kbyn

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2728	23B6.tmp

Executes dropped EXE 1 IoCs

pid	Process
2728	23B6.tmp

Loads dropped DLL 1 IoCs

pid	Process
2008	4ee9c2cc20e94bcdffe273cdf4b73c10N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ee9c2cc20e94bcdffe273cdf4b73c10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23B6.tmp

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2728	2008	4ee9c2cc20e94bcdffe273cdf4b73c10N.exe	30
PID 2008 wrote to memory of 2728	2008	4ee9c2cc20e94bcdffe273cdf4b73c10N.exe	30
PID 2008 wrote to memory of 2728	2008	4ee9c2cc20e94bcdffe273cdf4b73c10N.exe	30
PID 2008 wrote to memory of 2728	2008	4ee9c2cc20e94bcdffe273cdf4b73c10N.exe	30

C:\Users\Admin\AppData\Local\Temp\4ee9c2cc20e94bcdffe273cdf4b73c10N.exe
"C:\Users\Admin\AppData\Local\Temp\4ee9c2cc20e94bcdffe273cdf4b73c10N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\23B6.tmp
  "C:\Users\Admin\AppData\Local\Temp\23B6.tmp" --splashC:\Users\Admin\AppData\Local\Temp\4ee9c2cc20e94bcdffe273cdf4b73c10N.exe A0FCFC4A9092EFA79A3CB8C40076AF56628BE7749B84BA43EA04E2DBB0C1F125677A5BD1D8842B82CD9DF6DD20436E2DC46889C9C36695EED25D26EA920C540D
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\23B6.tmp

Filesize
1.9MB

MD5
deca6fa860d80f244cb1d4541561f6c9

SHA1
45050ab76edb5a0e9715ce8098f07bdf5639836f

SHA256
8a1aa31e15f938ca4932eef7ceb0fa94bb0af018a375bc4f5aa77d4aa07256c1

SHA512
98b3632c22843cf25959f1891203548fa6dbc3fc1bfa41f4d6972f3a69805ffc3a3c35562c6172ce68f7a2488dc2905243f72f1d7a37cc9f119050da89cb5a9f

Download Submit
memory/2008-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/2728-6-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download