8d3d9ce1b3e08ab581bcd31de3adb141fb14cbe243382276c884e8bdb6ce8780

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36d941217ee042aa70e5d103afb8e9040bc388c5ee6140822997366b94429d71.exe
Size

1.9MB
MD5

786b61f13137975aac320352ac1da101
SHA1

ecd5117bd0da34138951c3008a295963c90cf2f0
SHA256

36d941217ee042aa70e5d103afb8e9040bc388c5ee6140822997366b94429d71
SHA512

48600b23dc5e0afff65f7d34e5a8c90d67c9f6b7a45a1b1b85f7042325c9a45058258cdaaf4d0c89343a4e628f136e240b5b6fc9477c142b149a785a8ba19cc6
SSDEEP

24576:N2oo60HPdt+1CRiY2eOBvcj3u10d0O8Y7jN5mlFPUsMDZ79zDDlcuciP0VqEd+tS:Qoa1taC070dvh7jaqd79DDlcuFekd/fe

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2340	CD7C.tmp

Executes dropped EXE 1 IoCs

pid	Process
2340	CD7C.tmp

Loads dropped DLL 1 IoCs

pid	Process
2364	36d941217ee042aa70e5d103afb8e9040bc388c5ee6140822997366b94429d71.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36d941217ee042aa70e5d103afb8e9040bc388c5ee6140822997366b94429d71.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CD7C.tmp

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2340	2364	36d941217ee042aa70e5d103afb8e9040bc388c5ee6140822997366b94429d71.exe	31
PID 2364 wrote to memory of 2340	2364	36d941217ee042aa70e5d103afb8e9040bc388c5ee6140822997366b94429d71.exe	31
PID 2364 wrote to memory of 2340	2364	36d941217ee042aa70e5d103afb8e9040bc388c5ee6140822997366b94429d71.exe	31
PID 2364 wrote to memory of 2340	2364	36d941217ee042aa70e5d103afb8e9040bc388c5ee6140822997366b94429d71.exe	31

C:\Users\Admin\AppData\Local\Temp\36d941217ee042aa70e5d103afb8e9040bc388c5ee6140822997366b94429d71.exe
"C:\Users\Admin\AppData\Local\Temp\36d941217ee042aa70e5d103afb8e9040bc388c5ee6140822997366b94429d71.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\CD7C.tmp
  "C:\Users\Admin\AppData\Local\Temp\CD7C.tmp" --splashC:\Users\Admin\AppData\Local\Temp\36d941217ee042aa70e5d103afb8e9040bc388c5ee6140822997366b94429d71.exe E1CBC0BFC3C9E1D03C0397D236CB81CDE23AA860134DF636DC8513FF081CACEB156654C089D8A675ADE7DC34544C0A85DDE8ED303825A3FE4810BB339FB253C5
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\CD7C.tmp

Filesize
1.9MB

MD5
476c51b108e471b1fbbe003347689d16

SHA1
bdd0df45f780f81917c40e24e721db0d659c828d

SHA256
6ed2ce4479f57b7e402e3dbc42582d7afb87b4c61d62f63283b98f8ee9660c96

SHA512
ed3a7c39f995e07b814581a0d5f499525ae87a2e1f14d381bfba08cee04c9ce2d177f1877a689f779867a124c89d61aa5e4be0f7e9d58212f914a424ce785e06

Download Submit
memory/2340-6-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/2364-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download