b8aa21439b66bf96739d498b1088d882da07d148e444292ad574c114874badd8

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

233bc1c94fee8a49a083c76aa84684d0N.exe
Size

7.0MB
MD5

233bc1c94fee8a49a083c76aa84684d0
SHA1

2e5878aacb3550d6cbce5a854a93177966167c18
SHA256

b8aa21439b66bf96739d498b1088d882da07d148e444292ad574c114874badd8
SHA512

0e691c24fb4b57a6c4d11d158f0bc463d255560d05d850af5b62ff3bfe4eb5e39d870da709f95d5b0efddd18e5cb8a2cbd7852a69b7e04b2181e15dcd841d64f
SSDEEP

98304:emhd1UryevDNMMC9ic0V7wQqZUha5jtSyZIUbn:elLNMMm02QbaZtliK

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3044	D25C.tmp

Executes dropped EXE 1 IoCs

pid	Process
3044	D25C.tmp

Loads dropped DLL 2 IoCs

pid	Process
3024	233bc1c94fee8a49a083c76aa84684d0N.exe
3024	233bc1c94fee8a49a083c76aa84684d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	233bc1c94fee8a49a083c76aa84684d0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 3044	3024	233bc1c94fee8a49a083c76aa84684d0N.exe	31
PID 3024 wrote to memory of 3044	3024	233bc1c94fee8a49a083c76aa84684d0N.exe	31
PID 3024 wrote to memory of 3044	3024	233bc1c94fee8a49a083c76aa84684d0N.exe	31
PID 3024 wrote to memory of 3044	3024	233bc1c94fee8a49a083c76aa84684d0N.exe	31

C:\Users\Admin\AppData\Local\Temp\233bc1c94fee8a49a083c76aa84684d0N.exe
"C:\Users\Admin\AppData\Local\Temp\233bc1c94fee8a49a083c76aa84684d0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\D25C.tmp
  "C:\Users\Admin\AppData\Local\Temp\D25C.tmp" --splashC:\Users\Admin\AppData\Local\Temp\233bc1c94fee8a49a083c76aa84684d0N.exe 9CF914489E838B6ECE1E5F687A522E3539136977ABA937B2C6C710D6E94DB1ED19756C06FF6792525383D750E45C903558C1F72536F58B9F025108C15C4DCE66
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\D25C.tmp

Filesize
7.0MB

MD5
9745fcab15081aafee796ffa89dcbb87

SHA1
28f8b92dc96cf430c9bf566b00cdac2f1a8f8a4d

SHA256
f72d4a2a4b6f5d26e02e3dbf642a2010dbd80158d5b4282c871c7f06e9ff6de3

SHA512
3f98ad9cde539aa22164d4b99fd2a57d9e340c2fdae5841090a105d1659e3e16ea71a1f33656802d02c6c99c695af9559b82574e63407d4676cdfeeddb28878b

Download Submit
memory/3024-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/3044-9-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download