26874faa895d0bd4098f5ea1a70f8553072f7d87c374b074ec5377ceb26dce42

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

077a4447e4dc73de0fdddb4416ad5550N.exe
Size

640KB
MD5

077a4447e4dc73de0fdddb4416ad5550
SHA1

73a05a38ed794a2f7bdac2e983304a0905fa25d3
SHA256

26874faa895d0bd4098f5ea1a70f8553072f7d87c374b074ec5377ceb26dce42
SHA512

f02836a81be3e453be0221f84a5f6c6f9e5a72ca575a0980655779b85a9fc5308dd754d93d8e1d60c59684ec9c40d3afe16a2b5e2090a08b0055a10e1f01e485
SSDEEP

12288:wmz1UU6cSJQq9lnWhVQ5zCD4TyWN9VysX7ryTk2osi9:wmzjgQ4lnWhVQ5zY4xN9VyUUkV19

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2892	077a4447e4dc73de0fdddb4416ad5550N.exe

Executes dropped EXE 1 IoCs

pid	Process
2892	077a4447e4dc73de0fdddb4416ad5550N.exe

Loads dropped DLL 1 IoCs

pid	Process
2852	077a4447e4dc73de0fdddb4416ad5550N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	077a4447e4dc73de0fdddb4416ad5550N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2852	077a4447e4dc73de0fdddb4416ad5550N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2892	077a4447e4dc73de0fdddb4416ad5550N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2892	2852	077a4447e4dc73de0fdddb4416ad5550N.exe	31
PID 2852 wrote to memory of 2892	2852	077a4447e4dc73de0fdddb4416ad5550N.exe	31
PID 2852 wrote to memory of 2892	2852	077a4447e4dc73de0fdddb4416ad5550N.exe	31
PID 2852 wrote to memory of 2892	2852	077a4447e4dc73de0fdddb4416ad5550N.exe	31

C:\Users\Admin\AppData\Local\Temp\077a4447e4dc73de0fdddb4416ad5550N.exe
"C:\Users\Admin\AppData\Local\Temp\077a4447e4dc73de0fdddb4416ad5550N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Temp\077a4447e4dc73de0fdddb4416ad5550N.exe
  C:\Users\Admin\AppData\Local\Temp\077a4447e4dc73de0fdddb4416ad5550N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\077a4447e4dc73de0fdddb4416ad5550N.exe

Filesize
640KB

MD5
4d9979fa47f357622dc702e58ad8e791

SHA1
da37032a511d9b8209b31771813af72b46d42496

SHA256
2d6702b4d522311e67b3efdd949fbda097cae7b611361ec8e03f2c5e80c94838

SHA512
ae2e81098d964eef69bda3ed8e554f0630c9f23cf8168d7706ccdd855a217967bcea7a8f8009a87542140a4afa5eb266291030040c3bfb8ff5bbaea2d0a3477f

Download Submit
memory/2852-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2852-5-0x0000000000190000-0x00000000001D6000-memory.dmp

Filesize
280KB

Download
memory/2852-10-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2892-11-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2892-16-0x00000000001B0000-0x00000000001F6000-memory.dmp

Filesize
280KB

Download
memory/2892-17-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download