cac448285e201065b442df1465b8a708223c1ac3f26ebe8170c8826017730478

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abe55a07f8a52be14e1bc52c97250100N.exe
Size

4.3MB
MD5

abe55a07f8a52be14e1bc52c97250100
SHA1

00426499283809377e67997f364fd71092b3e027
SHA256

cac448285e201065b442df1465b8a708223c1ac3f26ebe8170c8826017730478
SHA512

4febdbc1e2c235293059c15300a7ac4e8844c1a805a5a08d6e501a0a63bd44515679d0253fdacf39895f060bd4ea8a18fe888128bbd12ab614d2863206b72859
SSDEEP

98304:emhd1UryeGPniySURd+G+7d7K2DV7wQqZUha5jtr:elmPp67d7j2QbaZtr

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2564	D2F8.tmp

Executes dropped EXE 1 IoCs

pid	Process
2564	D2F8.tmp

Loads dropped DLL 2 IoCs

pid	Process
3048	abe55a07f8a52be14e1bc52c97250100N.exe
3048	abe55a07f8a52be14e1bc52c97250100N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abe55a07f8a52be14e1bc52c97250100N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2564	3048	abe55a07f8a52be14e1bc52c97250100N.exe	31
PID 3048 wrote to memory of 2564	3048	abe55a07f8a52be14e1bc52c97250100N.exe	31
PID 3048 wrote to memory of 2564	3048	abe55a07f8a52be14e1bc52c97250100N.exe	31
PID 3048 wrote to memory of 2564	3048	abe55a07f8a52be14e1bc52c97250100N.exe	31

C:\Users\Admin\AppData\Local\Temp\abe55a07f8a52be14e1bc52c97250100N.exe
"C:\Users\Admin\AppData\Local\Temp\abe55a07f8a52be14e1bc52c97250100N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\D2F8.tmp
  "C:\Users\Admin\AppData\Local\Temp\D2F8.tmp" --splashC:\Users\Admin\AppData\Local\Temp\abe55a07f8a52be14e1bc52c97250100N.exe 8ECBA57E8820249C95DBA3F3A56537E8B8C7DECDD96CC932B39129BD198AD5F74EFA864A3E53DDD0371197F48236A5C0C75CCA54F2ED9631B55712F5A315DB20
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\D2F8.tmp

Filesize
4.3MB

MD5
88b483aaed82576d0a2dcfc6239830d7

SHA1
b12b684474d3c600f3e8fd57fc6d839d18fbd1cc

SHA256
f417d2e5dda94dad32420a2b555d590bdc7757efd33039df260593ee9bfd10e1

SHA512
3bc0b2c9af3dbba880143b6a86c76a522e6e1cd9193e8c6939d1d979c8bfd68ea57ab521a622b79e8d57a746e4d7bab011019a6eb66ef568b500f3d51b0fe4be

Download Submit
memory/2564-9-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/3048-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download