3513711c33f950ff0d1ce2173eae16323199c377f53b15905d4b3bdc45bbad68

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 19:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3513711c33f950ff0d1ce2173eae16323199c377f53b15905d4b3bdc45bbad68.exe
Size

6.8MB
MD5

2ec687cf8a8fe312cd82e1b1af1fb5dc
SHA1

0a13d80700cf74ca7203298841482e26f16f4bdf
SHA256

3513711c33f950ff0d1ce2173eae16323199c377f53b15905d4b3bdc45bbad68
SHA512

013e6e11e746171750c66410aec87526eb344b0c499edd33263b467ba8e8c5608cda3a787e977556ea3e1d79ac97fa92627d5ce9f2b4d07338bbe4ffd28055e8
SSDEEP

98304:emhd1UryeQ4EHB69OABV7wQqZUha5jtSyZIUbM:elt952QbaZtliF

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2372	D191.tmp

Executes dropped EXE 1 IoCs

pid	Process
2372	D191.tmp

Loads dropped DLL 2 IoCs

pid	Process
3032	3513711c33f950ff0d1ce2173eae16323199c377f53b15905d4b3bdc45bbad68.exe
3032	3513711c33f950ff0d1ce2173eae16323199c377f53b15905d4b3bdc45bbad68.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3513711c33f950ff0d1ce2173eae16323199c377f53b15905d4b3bdc45bbad68.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2372	3032	3513711c33f950ff0d1ce2173eae16323199c377f53b15905d4b3bdc45bbad68.exe	31
PID 3032 wrote to memory of 2372	3032	3513711c33f950ff0d1ce2173eae16323199c377f53b15905d4b3bdc45bbad68.exe	31
PID 3032 wrote to memory of 2372	3032	3513711c33f950ff0d1ce2173eae16323199c377f53b15905d4b3bdc45bbad68.exe	31
PID 3032 wrote to memory of 2372	3032	3513711c33f950ff0d1ce2173eae16323199c377f53b15905d4b3bdc45bbad68.exe	31

C:\Users\Admin\AppData\Local\Temp\3513711c33f950ff0d1ce2173eae16323199c377f53b15905d4b3bdc45bbad68.exe
"C:\Users\Admin\AppData\Local\Temp\3513711c33f950ff0d1ce2173eae16323199c377f53b15905d4b3bdc45bbad68.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\D191.tmp
  "C:\Users\Admin\AppData\Local\Temp\D191.tmp" --splashC:\Users\Admin\AppData\Local\Temp\3513711c33f950ff0d1ce2173eae16323199c377f53b15905d4b3bdc45bbad68.exe 32442073C2C78EC8E49C2E697B4218BB74CF79C8C670509FE4D4DBB009A07FB28B9B866304A1152306876BE4C6CF3EEBCC1B165F4F623106A805B0DADE67DB9F
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\D191.tmp

Filesize
6.8MB

MD5
fe0fd87e43020047d01d42c091b35490

SHA1
d8f2ed558a4449a2aff3182d2efa4c635a42f05e

SHA256
cc02379125e5232856129257a6c979301c503ab0223d4c2e83e0e0fae6c89d8e

SHA512
4446302ea6c73ab6ce83901fbea9e4dcbc73703704ea121cb7ecaa4a2e0a309d13d2795f12a92af500ad1c9604f0811a2bf86a4e3c1c1406a6afae9baec3cc90

Download Submit
memory/2372-9-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/3032-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download