365d3a1dcc9ccb57ba488b13ce2de5e6c7da23477626650fce3d607d2b29331d

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 08:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

df017ecef6afe61b947455f2a1cea220b9a50add9935c02e4d7df7b64ad50c9e.exe
Size

1.9MB
MD5

20a9cfc03e8fb5c00dcbeaab702fb02b
SHA1

f6b379bd708821d3a88cfd8753af7189b3d83548
SHA256

df017ecef6afe61b947455f2a1cea220b9a50add9935c02e4d7df7b64ad50c9e
SHA512

09c4b2b7fe8c2a4b6934d5bb0b45f01bb9d318f0577260607ed9a32501446de66a0b96201ceb8fb430a3ce4e03427550c16d1f811a5f88bbc69960e08c5846f0
SSDEEP

24576:N2oo60HPdt+1CRiY2eOBvcj3u10d7Ulk3VEut7ruRt2QoaFioAIOSwGaqtJfslQH:Qoa1taC070doloI2GF3XEjlzkG6mA9

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2496	C40A.tmp

Executes dropped EXE 1 IoCs

pid	Process
2496	C40A.tmp

Loads dropped DLL 1 IoCs

pid	Process
2320	df017ecef6afe61b947455f2a1cea220b9a50add9935c02e4d7df7b64ad50c9e.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df017ecef6afe61b947455f2a1cea220b9a50add9935c02e4d7df7b64ad50c9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C40A.tmp

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2496	2320	df017ecef6afe61b947455f2a1cea220b9a50add9935c02e4d7df7b64ad50c9e.exe	29
PID 2320 wrote to memory of 2496	2320	df017ecef6afe61b947455f2a1cea220b9a50add9935c02e4d7df7b64ad50c9e.exe	29
PID 2320 wrote to memory of 2496	2320	df017ecef6afe61b947455f2a1cea220b9a50add9935c02e4d7df7b64ad50c9e.exe	29
PID 2320 wrote to memory of 2496	2320	df017ecef6afe61b947455f2a1cea220b9a50add9935c02e4d7df7b64ad50c9e.exe	29

C:\Users\Admin\AppData\Local\Temp\df017ecef6afe61b947455f2a1cea220b9a50add9935c02e4d7df7b64ad50c9e.exe
"C:\Users\Admin\AppData\Local\Temp\df017ecef6afe61b947455f2a1cea220b9a50add9935c02e4d7df7b64ad50c9e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\C40A.tmp
  "C:\Users\Admin\AppData\Local\Temp\C40A.tmp" --splashC:\Users\Admin\AppData\Local\Temp\df017ecef6afe61b947455f2a1cea220b9a50add9935c02e4d7df7b64ad50c9e.exe 6C76BA657BEC9E90ADCE9367B07DB4CD546585475B590F57D9DB130BB4305CE4383CFA12C924A0247598BA3A26334F75103AEF34F654F9E2FDA3F403C1DFE3CC
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\C40A.tmp

Filesize
1.9MB

MD5
ab7c1ae4c2171675af7362ce6848cff9

SHA1
0cd0c9288ac50ce00123ca6bb90480ddae6233a3

SHA256
98533587e4c6b110f5b26c195d35478eb80b6613035c1593ebe75f7fee417fb4

SHA512
ed4141be50ed5810c5eba1cee2d396412298676567efe50bfc6bdab9e5cf6685ad36a40de2094f23300518f83bfb535a41ae07ed980197211b723888e78e6bc6

Download Submit
memory/2320-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/2496-6-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download