e83e61152c7dbaeab7b506a8b6efca7b610a4de6f2566bed01900c95dc74d1c1

Analysis

max time kernel
16s
max time network
21s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6ae6cee842c6c70865f2c8b00a8faa0N.exe
Size

4.4MB
MD5

c6ae6cee842c6c70865f2c8b00a8faa0
SHA1

eddab94d7403bbf9a2183861788e1a441ffc75eb
SHA256

e83e61152c7dbaeab7b506a8b6efca7b610a4de6f2566bed01900c95dc74d1c1
SHA512

11eaf66953f8f87978ef613bf3de5b5107c794a2a977468f167d644469e4da34f722a868301b7689d72996cbab59a30a718263d14dc1b0ef29f786288a8e3ac0
SSDEEP

98304:emhd1Urye32TfQpiAw6niRU3pcZl/SV7wQqZUha5jtSn:elX2TfQpiAw6n2U3p52QbaZte

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2396	9119.tmp

Executes dropped EXE 1 IoCs

pid	Process
2396	9119.tmp

Loads dropped DLL 2 IoCs

pid	Process
2160	c6ae6cee842c6c70865f2c8b00a8faa0N.exe
2160	c6ae6cee842c6c70865f2c8b00a8faa0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6ae6cee842c6c70865f2c8b00a8faa0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2396	2160	c6ae6cee842c6c70865f2c8b00a8faa0N.exe	30
PID 2160 wrote to memory of 2396	2160	c6ae6cee842c6c70865f2c8b00a8faa0N.exe	30
PID 2160 wrote to memory of 2396	2160	c6ae6cee842c6c70865f2c8b00a8faa0N.exe	30
PID 2160 wrote to memory of 2396	2160	c6ae6cee842c6c70865f2c8b00a8faa0N.exe	30

C:\Users\Admin\AppData\Local\Temp\c6ae6cee842c6c70865f2c8b00a8faa0N.exe
"C:\Users\Admin\AppData\Local\Temp\c6ae6cee842c6c70865f2c8b00a8faa0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\9119.tmp
  "C:\Users\Admin\AppData\Local\Temp\9119.tmp" --splashC:\Users\Admin\AppData\Local\Temp\c6ae6cee842c6c70865f2c8b00a8faa0N.exe 6380E2954ADECE99B1246794C580A0D59ABDEDCF9256FAC695758B1493CB319062CD34C227CCACE9BB32AA4F1D0AFB84CE2AAFE3EFDE45870D6B0EC7A44A36BE
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\9119.tmp

Filesize
4.4MB

MD5
50396e261bda8e4d13e572496945248e

SHA1
14caca530015961824120846cfbc2d16229ba102

SHA256
fc74f62c13c716a271c91987bea8906640fa66492e9c9142e60a5415a24b8a28

SHA512
8346553c8ac29ccdeedd6c4a8d2395b3b0912e1c8b979127e68afeec9cc14c6b6ed2a36eadff5020fb2116d34227f91cc6585926a5504310594ca89fab8cf1e8

Download Submit
memory/2160-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/2396-9-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download