09fe39c6e9f6c02c8ee86710573ec78dd3fdc90b842a53e40d4722b13a4d88bb

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dc78ad8791f88db3f43598167654f10N.exe
Size

59KB
MD5

0dc78ad8791f88db3f43598167654f10
SHA1

7c31a53377fe5c2da31da3dbe780b6b541c66906
SHA256

09fe39c6e9f6c02c8ee86710573ec78dd3fdc90b842a53e40d4722b13a4d88bb
SHA512

b67bc51c6a6f1b1b2a9be631c8d76fa0bd522ec908299a292b39eaffe4feba7e2e019c5960d5cf90e069aaea4ab7797ff85d414c639bb5fcba45e2b66f2fd3b9
SSDEEP

1536:8nPryhBEAjkpvKVlOYXQ2KQcxfeMBH3GibZ9Vz4bbKVSzr08zC:8nPwEAjkEg2KQcpeMBW6CKVIk

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1936	0dc78ad8791f88db3f43598167654f10N.exe

Executes dropped EXE 1 IoCs

pid	Process
1936	0dc78ad8791f88db3f43598167654f10N.exe

Loads dropped DLL 1 IoCs

pid	Process
2568	0dc78ad8791f88db3f43598167654f10N.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2568-0-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/files/0x000a0000000120d5-10.dat	upx
behavioral1/memory/1936-17-0x0000000000400000-0x000000000043D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0dc78ad8791f88db3f43598167654f10N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2568	0dc78ad8791f88db3f43598167654f10N.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2568	0dc78ad8791f88db3f43598167654f10N.exe
1936	0dc78ad8791f88db3f43598167654f10N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 1936	2568	0dc78ad8791f88db3f43598167654f10N.exe	31
PID 2568 wrote to memory of 1936	2568	0dc78ad8791f88db3f43598167654f10N.exe	31
PID 2568 wrote to memory of 1936	2568	0dc78ad8791f88db3f43598167654f10N.exe	31
PID 2568 wrote to memory of 1936	2568	0dc78ad8791f88db3f43598167654f10N.exe	31

C:\Users\Admin\AppData\Local\Temp\0dc78ad8791f88db3f43598167654f10N.exe
"C:\Users\Admin\AppData\Local\Temp\0dc78ad8791f88db3f43598167654f10N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\0dc78ad8791f88db3f43598167654f10N.exe
  C:\Users\Admin\AppData\Local\Temp\0dc78ad8791f88db3f43598167654f10N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\0dc78ad8791f88db3f43598167654f10N.exe

Filesize
59KB

MD5
470cb45600b1807fecec380342c291f8

SHA1
bae789329a6efbae4b3826598f08d4072c16002c

SHA256
2575c4c55abc89fe31efcb8fb0b71b54525ace2b1f8bee18064f45a7cf52f266

SHA512
2a843193a5da9699d33384bf22a7227892608ad2c4bc43c1e34af761408582c444f803271830c340ea22ec3ac929f8b7bcc83c29e87e3493eb37fc2190a79f31

Download Submit
memory/1936-17-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1936-20-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1936-18-0x0000000000030000-0x000000000003F000-memory.dmp

Filesize
60KB

Download
memory/1936-24-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1936-29-0x0000000000300000-0x000000000031D000-memory.dmp

Filesize
116KB

Download
memory/1936-30-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2568-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2568-1-0x0000000000030000-0x000000000003F000-memory.dmp

Filesize
60KB

Download
memory/2568-2-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2568-16-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2568-14-0x0000000000310000-0x000000000034D000-memory.dmp

Filesize
244KB

Download