493b1b2693a2e3b8df9136028cc88e3b0f0a391292fc5e4ec271b792c93fc278

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

493b1b2693a2e3b8df9136028cc88e3b0f0a391292fc5e4ec271b792c93fc278.exe
Size

6.0MB
MD5

9e149049ea54e0d6a29f31e5c29393de
SHA1

ee76d0efd0735f2187e4bca1e1acc876291389f7
SHA256

493b1b2693a2e3b8df9136028cc88e3b0f0a391292fc5e4ec271b792c93fc278
SHA512

1b8c52c1c5546e21632768707c5f3dccd20eba7850341514a496bfa115d74eba99ab0ab57256a142c81c9f8aa117bfbfa64ca4fd1e633dbe5536953636799ea1
SSDEEP

98304:emhd1UryeOo6RP+WjWIPzDjd8V7wQqZUha5jtSyZIUS:eluv9j1PzDy2QbaZtlir

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2684	FCB6.tmp

Executes dropped EXE 1 IoCs

pid	Process
2684	FCB6.tmp

Loads dropped DLL 2 IoCs

pid	Process
2212	493b1b2693a2e3b8df9136028cc88e3b0f0a391292fc5e4ec271b792c93fc278.exe
2212	493b1b2693a2e3b8df9136028cc88e3b0f0a391292fc5e4ec271b792c93fc278.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	493b1b2693a2e3b8df9136028cc88e3b0f0a391292fc5e4ec271b792c93fc278.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2684	2212	493b1b2693a2e3b8df9136028cc88e3b0f0a391292fc5e4ec271b792c93fc278.exe	30
PID 2212 wrote to memory of 2684	2212	493b1b2693a2e3b8df9136028cc88e3b0f0a391292fc5e4ec271b792c93fc278.exe	30
PID 2212 wrote to memory of 2684	2212	493b1b2693a2e3b8df9136028cc88e3b0f0a391292fc5e4ec271b792c93fc278.exe	30
PID 2212 wrote to memory of 2684	2212	493b1b2693a2e3b8df9136028cc88e3b0f0a391292fc5e4ec271b792c93fc278.exe	30

C:\Users\Admin\AppData\Local\Temp\493b1b2693a2e3b8df9136028cc88e3b0f0a391292fc5e4ec271b792c93fc278.exe
"C:\Users\Admin\AppData\Local\Temp\493b1b2693a2e3b8df9136028cc88e3b0f0a391292fc5e4ec271b792c93fc278.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\FCB6.tmp
  "C:\Users\Admin\AppData\Local\Temp\FCB6.tmp" --splashC:\Users\Admin\AppData\Local\Temp\493b1b2693a2e3b8df9136028cc88e3b0f0a391292fc5e4ec271b792c93fc278.exe 86512B444B97E6454C7EBEB7C10F5DAFA9843801102064B8349D7E1DB00152E2FEEE237560EFFC926213B4A463DF320026103C0C46B8CB40018FA2C9918D7A49
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\FCB6.tmp

Filesize
6.0MB

MD5
67460c482ffbbb3de58dd1e7d0e2dfe8

SHA1
20d9f858c059c0ebdf005607da121057e6244f76

SHA256
3cea8ea15f3888df365e1bc6780b164bdc32fd7ab5892546f6b2710f20229f83

SHA512
34d26d36ebab78803c0420f78b71665f993cd79c94988057a196a2f0d08a8a12145be6814b746223225ad054ba87454411be0bf64fbebc418750782894ca1bdc

Download Submit
memory/2212-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/2684-9-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download