c076bf0a691a858c0ba7ae52a49681e42ed3b045d0a978beeee8dd2cd3197ebe

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90cf4194a0f5012f79836f5eca571ab0N.exe
Size

768KB
MD5

90cf4194a0f5012f79836f5eca571ab0
SHA1

ae1a878b51d5878886781e34daf48b0b84324670
SHA256

c076bf0a691a858c0ba7ae52a49681e42ed3b045d0a978beeee8dd2cd3197ebe
SHA512

1dd3488c75c314a276100df589082ceca940a576102abd68c384b33823ce6e32183c020034638934ec2521ced439b5b36880bef9a5a30a5603a361e3b9a51741
SSDEEP

12288:sPKTf/z2sWmUJXfbCAf9CAfK4AXygqfwWCAfK4AXygqfYCAfRCAT:sPgdWLdfb9f99foigY79foigYY9fR9

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2012	90cf4194a0f5012f79836f5eca571ab0N.exe

Executes dropped EXE 1 IoCs

pid	Process
2012	90cf4194a0f5012f79836f5eca571ab0N.exe

Loads dropped DLL 1 IoCs

pid	Process
2360	90cf4194a0f5012f79836f5eca571ab0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90cf4194a0f5012f79836f5eca571ab0N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2360	90cf4194a0f5012f79836f5eca571ab0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2012	2360	90cf4194a0f5012f79836f5eca571ab0N.exe	32
PID 2360 wrote to memory of 2012	2360	90cf4194a0f5012f79836f5eca571ab0N.exe	32
PID 2360 wrote to memory of 2012	2360	90cf4194a0f5012f79836f5eca571ab0N.exe	32
PID 2360 wrote to memory of 2012	2360	90cf4194a0f5012f79836f5eca571ab0N.exe	32

C:\Users\Admin\AppData\Local\Temp\90cf4194a0f5012f79836f5eca571ab0N.exe
"C:\Users\Admin\AppData\Local\Temp\90cf4194a0f5012f79836f5eca571ab0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\90cf4194a0f5012f79836f5eca571ab0N.exe
  C:\Users\Admin\AppData\Local\Temp\90cf4194a0f5012f79836f5eca571ab0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\90cf4194a0f5012f79836f5eca571ab0N.exe

Filesize
768KB

MD5
d67427b6743de2e354ad04ed8699d8ad

SHA1
a2983403aa99fe3f17e8caab5d352bc5005713ef

SHA256
793155ed22e989b2132aef6ee543f2fa13fcfa184d9cfe2f63240d753854de75

SHA512
b6d98758212afa26c23df80f31b1b275de72d316af71bb339dc0e2c96fce115edb1061b15a612abcfe0c76fd91d288bf7c71e71950bab19e44b83b74a518ff57

Download Submit
memory/2012-12-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2012-14-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2360-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2360-9-0x0000000003020000-0x00000000030ED000-memory.dmp

Filesize
820KB

Download
memory/2360-11-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download