e9a7b5db6437c79d698317a118e214d46fe409e25cb01baf5ff302845f93ac12

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 14:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

efea7692786354fea26f3f91bcfedd50N.exe
Size

431KB
MD5

efea7692786354fea26f3f91bcfedd50
SHA1

dfbec8ef698ef436c620f2f1cae17473b98a3109
SHA256

e9a7b5db6437c79d698317a118e214d46fe409e25cb01baf5ff302845f93ac12
SHA512

a2b74ba29e78b41144ea2e7c5e9465b9f5cdabf99a73dd84e6c77179360d8b82db0198f4ff729bd991a2e2d1f63a15ce5cf77525f74f37f74e28de5787f95057
SSDEEP

12288:y+Fssq5FVlJOEvoKlSql4ejAAWxe1X7BMPpqeepz4eeriQ/ANBu:yxBOEvoKlSql4ejrWx4X7BMPpqeepz4n

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2796	efea7692786354fea26f3f91bcfedd50N.exe

Executes dropped EXE 1 IoCs

pid	Process
2796	efea7692786354fea26f3f91bcfedd50N.exe

Loads dropped DLL 1 IoCs

pid	Process
588	efea7692786354fea26f3f91bcfedd50N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efea7692786354fea26f3f91bcfedd50N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
588	efea7692786354fea26f3f91bcfedd50N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2796	efea7692786354fea26f3f91bcfedd50N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 588 wrote to memory of 2796	588	efea7692786354fea26f3f91bcfedd50N.exe	31
PID 588 wrote to memory of 2796	588	efea7692786354fea26f3f91bcfedd50N.exe	31
PID 588 wrote to memory of 2796	588	efea7692786354fea26f3f91bcfedd50N.exe	31
PID 588 wrote to memory of 2796	588	efea7692786354fea26f3f91bcfedd50N.exe	31

C:\Users\Admin\AppData\Local\Temp\efea7692786354fea26f3f91bcfedd50N.exe
"C:\Users\Admin\AppData\Local\Temp\efea7692786354fea26f3f91bcfedd50N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:588
- C:\Users\Admin\AppData\Local\Temp\efea7692786354fea26f3f91bcfedd50N.exe
  C:\Users\Admin\AppData\Local\Temp\efea7692786354fea26f3f91bcfedd50N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\efea7692786354fea26f3f91bcfedd50N.exe

Filesize
431KB

MD5
d5f8d029a7536ab001ee5a200268b6ab

SHA1
898ae1f2822e86d87c2943455ede5254af9473b8

SHA256
1dcf2784182e5a8f46018f29d9c787256670dd07d9b1c35735018658294723f4

SHA512
275cb7cdff082d897e85d816eadea93d8b296a9a4fd291f3b8b3fd3cc47441cb2d655712c100ebae1cb35fe7cbc6da7d70f8ad59ccf25cfb405ba46f4a384f3a

Download Submit
memory/588-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/588-5-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/588-10-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2796-12-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2796-11-0x0000000000320000-0x0000000000360000-memory.dmp

Filesize
256KB

Download
memory/2796-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download