6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
Size

14.3MB
MD5

fc844b5128c40257342ae9930a4240b0
SHA1

9d173667ea5c0ddba877112661fa6119ab9e1858
SHA256

6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632
SHA512

5d651cd6a13c5378175673402e1df487649097a5077a0e24368f800991db23b998b3ab3b92af28634c1d476932113cc99cd49b3e3dc77fe5a35489b5e7734023
SSDEEP

393216:/abopteQbBlROLNM112Q9R/9mmGKJxV6edA2YM:iiFmLO1IQ9nJ6o

Score

6^/10

defense_evasion discovery

Malware Config

Signatures

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2248	1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe	30
PID 1620 wrote to memory of 2248	1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe	30
PID 1620 wrote to memory of 2248	1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe	30
PID 1620 wrote to memory of 2248	1620	6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe	30

C:\Users\Admin\AppData\Local\Temp\6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe
"C:\Users\Admin\AppData\Local\Temp\6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\*.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6bca22c08cf23a40dc7e4895dec1e269768c37a84fe672ebca71f9bcd7ab5632.exepack.tmp

Filesize
2KB

MD5
eb84f38785a4171970701f130d5aa799

SHA1
40031abda5c9951ccda255a254a905b7f20e8ab1

SHA256
f7b8ddce49f8b7d19ae34ee122fe9c4cd13eb4c65e0c521bd6a6e6722da789fe

SHA512
ddbceee986fb6f20d0a12d7695cef09e4b25d7dbb5dbc5c093050171d024d541ec3fc7c8e4d5601b156ee97081f8867c15a75308520152702ae62de651afb3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\6cd2842b32d53672fe16f4e1bb3c44de.ini

Filesize
549B

MD5
f56bbaab0a356a71c200911bdc2db750

SHA1
bb33a9603de7fc9cfb194438c391c3a825f73edb

SHA256
d31d083f9a92578376623357238678db6f2259ff574673a793eb223e5a361726

SHA512
44e6441e19ade9a8082e93ed7af6720b89c02f2c2f25c4105168577f0b1429aa504cb17185df3e8e545331b8835327479c5d726cf0089cf11942f373cff73446

Download Submit
C:\Users\Admin\AppData\Local\Temp\6cd2842b32d53672fe16f4e1bb3c44deA.ini

Filesize
1KB

MD5
1afd35b305c72f0ab1f648b8ad62d71a

SHA1
955d5bd20ce36f95d65a3003499c697d572f5f15

SHA256
fd29b69948003e726d9268f44a6c14ff51042815d57a21dfaccca0704a0631fc

SHA512
9612e93203c5e2b4c7f752fffc61c808289d99f0bde714f20a3750ed0bb84e563ec401b4b1c8ca948358d732bfde9ae007941f8a613ea2f9182adcdcea77cd53

Download Submit
memory/1620-337-0x0000000000400000-0x0000000001234000-memory.dmp

Filesize
14.2MB

Download
memory/1620-340-0x0000000000400000-0x0000000001234000-memory.dmp

Filesize
14.2MB

Download
memory/1620-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1620-5-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1620-12-0x0000000000400000-0x0000000001234000-memory.dmp

Filesize
14.2MB

Download
memory/1620-10-0x0000000000400000-0x0000000001234000-memory.dmp

Filesize
14.2MB

Download
memory/1620-4-0x00000000008DD000-0x0000000000D9B000-memory.dmp

Filesize
4.7MB

Download
memory/1620-3-0x0000000000400000-0x0000000001234000-memory.dmp

Filesize
14.2MB

Download
memory/1620-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1620-336-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1620-338-0x00000000008DD000-0x0000000000D9B000-memory.dmp

Filesize
4.7MB

Download
memory/1620-0-0x0000000000400000-0x0000000001234000-memory.dmp

Filesize
14.2MB

Download
memory/1620-339-0x0000000000400000-0x0000000001234000-memory.dmp

Filesize
14.2MB

Download
memory/1620-9-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1620-341-0x0000000000400000-0x0000000001234000-memory.dmp

Filesize
14.2MB

Download
memory/1620-342-0x0000000000400000-0x0000000001234000-memory.dmp

Filesize
14.2MB

Download
memory/1620-343-0x0000000000400000-0x0000000001234000-memory.dmp

Filesize
14.2MB

Download
memory/1620-344-0x0000000000400000-0x0000000001234000-memory.dmp

Filesize
14.2MB

Download
memory/1620-345-0x0000000000400000-0x0000000001234000-memory.dmp

Filesize
14.2MB

Download
memory/1620-346-0x0000000000400000-0x0000000001234000-memory.dmp

Filesize
14.2MB

Download
memory/1620-347-0x0000000000400000-0x0000000001234000-memory.dmp

Filesize
14.2MB

Download
memory/1620-348-0x0000000000400000-0x0000000001234000-memory.dmp

Filesize
14.2MB

Download
memory/1620-349-0x0000000000400000-0x0000000001234000-memory.dmp

Filesize
14.2MB

Download
memory/1620-350-0x0000000000400000-0x0000000001234000-memory.dmp

Filesize
14.2MB

Download
memory/1620-351-0x0000000000400000-0x0000000001234000-memory.dmp

Filesize
14.2MB

Download
memory/1620-352-0x0000000000400000-0x0000000001234000-memory.dmp

Filesize
14.2MB

Download
memory/1620-353-0x0000000000400000-0x0000000001234000-memory.dmp

Filesize
14.2MB

Download