2da2c61c6c97302bfb4da8911ecc75dc5f1ca7106e584061fb7a1ae97f12b94b

Analysis

max time kernel
21s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0a068ca3d6d9b633cc0f664051d28d0N.exe
Size

7.8MB
MD5

a0a068ca3d6d9b633cc0f664051d28d0
SHA1

0eef56180b422b928ecb98e58d23f0d062bcedb8
SHA256

2da2c61c6c97302bfb4da8911ecc75dc5f1ca7106e584061fb7a1ae97f12b94b
SHA512

e319eb0c0aa9121c55338abc581a7b108a544f6268e9e7e1b7f7555221c1e2635d692621e0a792dc5b08de64f2fe69ba084eea4f9026261db7c9b0afc633afe7
SSDEEP

98304:emhd1UryecnYYrwyteFV7wQqZUha5jtSyZIUb:ellYrwytm2QbaZtli

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2768	7F3E.tmp

Executes dropped EXE 1 IoCs

pid	Process
2768	7F3E.tmp

Loads dropped DLL 2 IoCs

pid	Process
2276	a0a068ca3d6d9b633cc0f664051d28d0N.exe
2276	a0a068ca3d6d9b633cc0f664051d28d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0a068ca3d6d9b633cc0f664051d28d0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2768	2276	a0a068ca3d6d9b633cc0f664051d28d0N.exe	30
PID 2276 wrote to memory of 2768	2276	a0a068ca3d6d9b633cc0f664051d28d0N.exe	30
PID 2276 wrote to memory of 2768	2276	a0a068ca3d6d9b633cc0f664051d28d0N.exe	30
PID 2276 wrote to memory of 2768	2276	a0a068ca3d6d9b633cc0f664051d28d0N.exe	30

C:\Users\Admin\AppData\Local\Temp\a0a068ca3d6d9b633cc0f664051d28d0N.exe
"C:\Users\Admin\AppData\Local\Temp\a0a068ca3d6d9b633cc0f664051d28d0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\7F3E.tmp
  "C:\Users\Admin\AppData\Local\Temp\7F3E.tmp" --splashC:\Users\Admin\AppData\Local\Temp\a0a068ca3d6d9b633cc0f664051d28d0N.exe 3C93437D9561D8DE2E4FE38DDE7A343FCA04C10604CBD0FDF0DEE7E141101BEF58E3ADCC8BCA63BD8B6D0AC6AE8C4EBC4917F7986DAB51125C90FB080BDCFE0C
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\7F3E.tmp

Filesize
7.8MB

MD5
d606e7342280acaa1f910836528c09a2

SHA1
00b6443cfccc4935e7065e6f7aac6219250c8fb8

SHA256
6c8d911f9bf40c993aed77af5387dfd12c911b83b51fffc9dc8a995c87b29bc0

SHA512
f004dfdb15209fea8dcbbec21d6eb9f5496cc278edd9d8af75af3a661e7447549bd30f34b2bf5bca540922ab2ebb173c3c7c4d719a2c9cb8b15589b5f3429f84

Download Submit
memory/2276-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/2768-9-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download