ebb531fe79fc13e9520143d340077fec89f32a3afc3b1bf040bc7ba7c34a2d93

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e630772c1e06c4fcb9d421b326c6b3c0N.exe
Size

821KB
MD5

e630772c1e06c4fcb9d421b326c6b3c0
SHA1

9b856ec7465e2f7ed09fadc863fcc3826079e341
SHA256

ebb531fe79fc13e9520143d340077fec89f32a3afc3b1bf040bc7ba7c34a2d93
SHA512

32f20a4e96dae341bf5725242f4cc5d731e67c556a844abbd291a0eb1fdeacb0b83b55889d2299feceb7389deeb01d30368a98a70a4a0616b16a331d720f1dcb
SSDEEP

24576:UTkzs9nHETVN5C7hkSiXj7aLZmN1SafY:UTkzs9nHETV27m7XfWZmXvfY

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2344	FAC3.tmp

Executes dropped EXE 1 IoCs

pid	Process
2344	FAC3.tmp

Loads dropped DLL 1 IoCs

pid	Process
2180	e630772c1e06c4fcb9d421b326c6b3c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e630772c1e06c4fcb9d421b326c6b3c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FAC3.tmp

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2344	2180	e630772c1e06c4fcb9d421b326c6b3c0N.exe	31
PID 2180 wrote to memory of 2344	2180	e630772c1e06c4fcb9d421b326c6b3c0N.exe	31
PID 2180 wrote to memory of 2344	2180	e630772c1e06c4fcb9d421b326c6b3c0N.exe	31
PID 2180 wrote to memory of 2344	2180	e630772c1e06c4fcb9d421b326c6b3c0N.exe	31

C:\Users\Admin\AppData\Local\Temp\e630772c1e06c4fcb9d421b326c6b3c0N.exe
"C:\Users\Admin\AppData\Local\Temp\e630772c1e06c4fcb9d421b326c6b3c0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\FAC3.tmp
  "C:\Users\Admin\AppData\Local\Temp\FAC3.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FAC3.tmp

Filesize
821KB

MD5
a8a3cbac3a82ba2d72c0f73268b4c331

SHA1
38872584368cb531d4a972258f1408256c363e73

SHA256
eb2421faa90b791f6ad70418e43be35ccb6abfd22229c42f128f27c43ac3b001

SHA512
21889d067e9a5e64fda9353be80f3f9c0e18cc53316df96b8110559861a595d7fe28f62a63381bb82c543d137e0620a7070a522e14f67fa527a2fd43f85c8d77

Download Submit
memory/2180-2-0x0000000000870000-0x000000000093A000-memory.dmp

Filesize
808KB

Download
memory/2180-7-0x0000000000870000-0x000000000093A000-memory.dmp

Filesize
808KB

Download
memory/2180-5-0x0000000000370000-0x000000000043A000-memory.dmp

Filesize
808KB

Download
memory/2344-8-0x00000000001E0000-0x00000000002AA000-memory.dmp

Filesize
808KB

Download
memory/2344-9-0x00000000001E0000-0x00000000002AA000-memory.dmp

Filesize
808KB

Download