f66f5f889809e2c2f6a0d6fa3c87800768887127dee14c11b373fa1a8e35dcc7

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e52d4e01328375f5eaf5ac0acc97850N.exe
Size

66KB
MD5

6e52d4e01328375f5eaf5ac0acc97850
SHA1

00a062e0f334b6f1f23fb79856884237c1444c12
SHA256

f66f5f889809e2c2f6a0d6fa3c87800768887127dee14c11b373fa1a8e35dcc7
SHA512

7cb29357ce9ac0232c2aa06a7f4127f8794027406a0c4340cccc456aed805a34beeaa93b2b0150aed8e304a9e306047f0be42f7ee45e0de6b771363f2b005abe
SSDEEP

768:RZCzNyrsbbRImy80EsgoNjoLO3/AuS1+0eCqT4u8J0DJWhjSjAsOmIvrd/vQq:OzUIb25A8ULI00zTto09WhjUAsOf4q

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2088	conwurm.exe

Loads dropped DLL 1 IoCs

pid	Process
1232	6e52d4e01328375f5eaf5ac0acc97850N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e52d4e01328375f5eaf5ac0acc97850N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conwurm.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 2088	1232	6e52d4e01328375f5eaf5ac0acc97850N.exe	30
PID 1232 wrote to memory of 2088	1232	6e52d4e01328375f5eaf5ac0acc97850N.exe	30
PID 1232 wrote to memory of 2088	1232	6e52d4e01328375f5eaf5ac0acc97850N.exe	30
PID 1232 wrote to memory of 2088	1232	6e52d4e01328375f5eaf5ac0acc97850N.exe	30

C:\Users\Admin\AppData\Local\Temp\6e52d4e01328375f5eaf5ac0acc97850N.exe
"C:\Users\Admin\AppData\Local\Temp\6e52d4e01328375f5eaf5ac0acc97850N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\conwurm.exe
  "C:\Users\Admin\AppData\Local\Temp\conwurm.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\conwurm.exe

Filesize
66KB

MD5
5020224c3e51829b058dcf2b7b885d03

SHA1
22553c29677cc5355cab7437ca6c4e6b60eaaa52

SHA256
40ccb6fdd9d512f1c9a3eab14d5260f11caaec10071a3efa883446462d0b260a

SHA512
cd8eca0516028bb020855cab099c2a1cfc0a6d997d8462cf2c1d314686e01f8daec7074fa0b63b7d3c0609a53b7fe2dae259fbcaf77854b85f664cfc57b4a158

Download Submit
memory/1232-1-0x0000000004000000-0x0000000004005000-memory.dmp

Filesize
20KB

Download
memory/1232-0-0x0000000004000000-0x0000000004005000-memory.dmp

Filesize
20KB

Download
memory/1232-3-0x0000000004000000-0x0000000004005000-memory.dmp

Filesize
20KB

Download