c24e25506ba4402e02702e792e73468c70794b70ab5dd5ea28b97aa2c7ae2434

Analysis

max time kernel
80s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

615ce9f0ef381665d5fa6c92d8ac4000N.exe
Size

218KB
MD5

615ce9f0ef381665d5fa6c92d8ac4000
SHA1

08f7f66ef855115c95fa67c78cadcc6a777f20aa
SHA256

c24e25506ba4402e02702e792e73468c70794b70ab5dd5ea28b97aa2c7ae2434
SHA512

347159cbaaf168feb9f3194f0ba02bab57f60dbd1c1a84c334e39657c2ce6bf6250a47ca88af33e476df89a908ff165f87c9ba4f9f8378b06c9dd7c462b0050a
SSDEEP

6144:xD5njsi/RluoQDOIsm0Bd85fwbNX9aLisM+Nea:xD5526IsNUIX9aLisvNea

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2780	615ce9f0ef381665d5fa6c92d8ac4000N.exe

Executes dropped EXE 1 IoCs

pid	Process
2780	615ce9f0ef381665d5fa6c92d8ac4000N.exe

Loads dropped DLL 1 IoCs

pid	Process
2340	615ce9f0ef381665d5fa6c92d8ac4000N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	615ce9f0ef381665d5fa6c92d8ac4000N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2340	615ce9f0ef381665d5fa6c92d8ac4000N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2780	615ce9f0ef381665d5fa6c92d8ac4000N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2780	2340	615ce9f0ef381665d5fa6c92d8ac4000N.exe	31
PID 2340 wrote to memory of 2780	2340	615ce9f0ef381665d5fa6c92d8ac4000N.exe	31
PID 2340 wrote to memory of 2780	2340	615ce9f0ef381665d5fa6c92d8ac4000N.exe	31
PID 2340 wrote to memory of 2780	2340	615ce9f0ef381665d5fa6c92d8ac4000N.exe	31

C:\Users\Admin\AppData\Local\Temp\615ce9f0ef381665d5fa6c92d8ac4000N.exe
"C:\Users\Admin\AppData\Local\Temp\615ce9f0ef381665d5fa6c92d8ac4000N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\615ce9f0ef381665d5fa6c92d8ac4000N.exe
  C:\Users\Admin\AppData\Local\Temp\615ce9f0ef381665d5fa6c92d8ac4000N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\615ce9f0ef381665d5fa6c92d8ac4000N.exe

Filesize
218KB

MD5
126c0bfb1aa88cb8aade598f0535c268

SHA1
7f06f74a75ef42305173eb00900109ed4b58eab0

SHA256
611db7f82c36dbcc33b6cbd4ae8db65020b6bdbb5ddca2d0dafb4a81e947a6a9

SHA512
a61d3c3bc0c1d7ecfa751ccc6c17f1f7dcdf0e5f1c553cebbfa5382bdd77e40834f699722e960a5c5e32e609acff62c6f8fb3c78069f68588143d5657121936c

Download Submit
memory/2340-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2340-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2780-10-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2780-11-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2780-16-0x0000000000130000-0x0000000000172000-memory.dmp

Filesize
264KB

Download
memory/2780-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download