bf2573860f50ad441ee58bdf167fcdb592852140e4cd68b8e6828065c3ff0ea0

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 23:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4c879ecf35579c79848ec0acc496c8d26284c3fc7aadd547d92d006a396e5eda.exe
Size

1.9MB
MD5

91d2bd2aeff1f48ff9a6a029590803f1
SHA1

cc42a9fbcd33ae9042959e3ac69722aed67d9b0b
SHA256

4c879ecf35579c79848ec0acc496c8d26284c3fc7aadd547d92d006a396e5eda
SHA512

bb4ace65fabfef20bcf0301a705797ab62a23e7e2343fc47e7fe171ea26cfda2f0f124eeb8cdb215aa954a9170e5cd9606be7ef7bfbbcf94ff1d32012626ea9d
SSDEEP

24576:N2oo60HPdt+1CRiY2eOBvcj3u10d1YWXYpl/NyvptRxB10Ne7JZUfTAhknuc0njm:Qoa1taC070d1YcYpl/IDH1pGTAkuc0jm

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1424	982.tmp

Executes dropped EXE 1 IoCs

pid	Process
1424	982.tmp

Loads dropped DLL 1 IoCs

pid	Process
2944	4c879ecf35579c79848ec0acc496c8d26284c3fc7aadd547d92d006a396e5eda.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c879ecf35579c79848ec0acc496c8d26284c3fc7aadd547d92d006a396e5eda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	982.tmp

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 1424	2944	4c879ecf35579c79848ec0acc496c8d26284c3fc7aadd547d92d006a396e5eda.exe	29
PID 2944 wrote to memory of 1424	2944	4c879ecf35579c79848ec0acc496c8d26284c3fc7aadd547d92d006a396e5eda.exe	29
PID 2944 wrote to memory of 1424	2944	4c879ecf35579c79848ec0acc496c8d26284c3fc7aadd547d92d006a396e5eda.exe	29
PID 2944 wrote to memory of 1424	2944	4c879ecf35579c79848ec0acc496c8d26284c3fc7aadd547d92d006a396e5eda.exe	29

C:\Users\Admin\AppData\Local\Temp\4c879ecf35579c79848ec0acc496c8d26284c3fc7aadd547d92d006a396e5eda.exe
"C:\Users\Admin\AppData\Local\Temp\4c879ecf35579c79848ec0acc496c8d26284c3fc7aadd547d92d006a396e5eda.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\982.tmp
  "C:\Users\Admin\AppData\Local\Temp\982.tmp" --splashC:\Users\Admin\AppData\Local\Temp\4c879ecf35579c79848ec0acc496c8d26284c3fc7aadd547d92d006a396e5eda.exe 76F714D4BEC123D43EF0929277BA7E4D244FA8D51EF705EBCE1F4072557755D067AC39936FE5365AD107CEA9238BA716028512AAD76759872F4F790B62D7E919
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\982.tmp

Filesize
1.9MB

MD5
0dbd862d2e635d95c9fbb1e0ffd0e5b6

SHA1
138da8ef153e5f343a66d1f56430b6dd6b759a6a

SHA256
a3577bc8fc782930bd9a9fc16e2891755d8b368ef236261083b0e4fdcbdc27c2

SHA512
9d9228ec867d6c5007961ddf222bcc2d47adce30baac6c4c761745bf0e8fef93b1bc3d669157e35ad54dc174808dfff8f53019f70554278848be2578dfa539e9

Download Submit
memory/1424-6-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/2944-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download