d1b6e76e8a2e356aaa6b082916ecdd7ea83da8aa70aeab7896dfe82aea8e1464

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 02:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d78bb78aa89a2712a8c701a69358e0e611f8c476f4e9fa1d89c9620d3efa404b.exe
Size

1.9MB
MD5

9fd7ccb6ed4a0411d14be21e14b366ae
SHA1

ba8b41ae3f08146c11fd18b8144bd87f285d4b14
SHA256

d78bb78aa89a2712a8c701a69358e0e611f8c476f4e9fa1d89c9620d3efa404b
SHA512

c4e7f4f3ba3a8fa92ff5d8556e88ba52a5cb2ff3470738b44162477bb7ea2b0537a5d3f510485a5538edf31c65a5c58cce584b79b4140113c6a2724b7e8d00f2
SSDEEP

49152:Qoa1taC070dIXObb0nvBgoBQ8h51ItsrqS4:Qoa1taC0nObO+8P1IirqB

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2192	8B01.tmp

Executes dropped EXE 1 IoCs

pid	Process
2192	8B01.tmp

Loads dropped DLL 1 IoCs

pid	Process
2072	d78bb78aa89a2712a8c701a69358e0e611f8c476f4e9fa1d89c9620d3efa404b.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8B01.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d78bb78aa89a2712a8c701a69358e0e611f8c476f4e9fa1d89c9620d3efa404b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2192	2072	d78bb78aa89a2712a8c701a69358e0e611f8c476f4e9fa1d89c9620d3efa404b.exe	30
PID 2072 wrote to memory of 2192	2072	d78bb78aa89a2712a8c701a69358e0e611f8c476f4e9fa1d89c9620d3efa404b.exe	30
PID 2072 wrote to memory of 2192	2072	d78bb78aa89a2712a8c701a69358e0e611f8c476f4e9fa1d89c9620d3efa404b.exe	30
PID 2072 wrote to memory of 2192	2072	d78bb78aa89a2712a8c701a69358e0e611f8c476f4e9fa1d89c9620d3efa404b.exe	30

C:\Users\Admin\AppData\Local\Temp\d78bb78aa89a2712a8c701a69358e0e611f8c476f4e9fa1d89c9620d3efa404b.exe
"C:\Users\Admin\AppData\Local\Temp\d78bb78aa89a2712a8c701a69358e0e611f8c476f4e9fa1d89c9620d3efa404b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\8B01.tmp
  "C:\Users\Admin\AppData\Local\Temp\8B01.tmp" --splashC:\Users\Admin\AppData\Local\Temp\d78bb78aa89a2712a8c701a69358e0e611f8c476f4e9fa1d89c9620d3efa404b.exe A9BB45F537BFAFFF4B1A55C19C213368D50F2E81DC3FCA7F808D353A19AF6F58EB5EFA46275826C2F41AB9D9B74C0A243375996F200507BC3BA54A08D3E2C4F5
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8B01.tmp

Filesize
1.9MB

MD5
51c32e3847e974bcccbfe0c6eb831b5b

SHA1
87b0659734514abbc43c0fe9906963382ba34635

SHA256
3bf3ee1be36e407333a0e46d7965bf03389a101275d2f50a1853a62169da2921

SHA512
ee7125e467a8cfa286bf9a3b50adbed21b6f283eec36c3e54699b5a9c326ab9746347e893baedeb53079b3ee995637cf63a802d31f6a3aed8ee04f9d5ec0d814

Download Submit
memory/2072-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/2192-6-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download