9d18735cb452e04efc58b0e381ef91fd3d10a66becea79c87a39ef55204bca44

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f067155980d04cc127c4e42a080ec90N.exe
Size

6.0MB
MD5

5f067155980d04cc127c4e42a080ec90
SHA1

52ef382a5fb933b1a90c7fd112135c7ab50cc42a
SHA256

9d18735cb452e04efc58b0e381ef91fd3d10a66becea79c87a39ef55204bca44
SHA512

a2b1c21d70f6333276f59902a985da6f5bdbe2fb6272d3bb5bbf760be1668b8d736b6676f3828eabd7e7d49b1f55621ae4b12e2df2f35ecfcfd0b9f316124fd3
SSDEEP

98304:emhd1UryehTrktVGi47vV7wQqZUha5jtSyZIUS:elBTgtVGt7v2QbaZtlir

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2720	ED3C.tmp

Executes dropped EXE 1 IoCs

pid	Process
2720	ED3C.tmp

Loads dropped DLL 2 IoCs

pid	Process
2672	5f067155980d04cc127c4e42a080ec90N.exe
2672	5f067155980d04cc127c4e42a080ec90N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f067155980d04cc127c4e42a080ec90N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2720	2672	5f067155980d04cc127c4e42a080ec90N.exe	31
PID 2672 wrote to memory of 2720	2672	5f067155980d04cc127c4e42a080ec90N.exe	31
PID 2672 wrote to memory of 2720	2672	5f067155980d04cc127c4e42a080ec90N.exe	31
PID 2672 wrote to memory of 2720	2672	5f067155980d04cc127c4e42a080ec90N.exe	31

C:\Users\Admin\AppData\Local\Temp\5f067155980d04cc127c4e42a080ec90N.exe
"C:\Users\Admin\AppData\Local\Temp\5f067155980d04cc127c4e42a080ec90N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\ED3C.tmp
  "C:\Users\Admin\AppData\Local\Temp\ED3C.tmp" --splashC:\Users\Admin\AppData\Local\Temp\5f067155980d04cc127c4e42a080ec90N.exe 8DFD135273162AE109DBB8169CC8F80BDD3A7E43CF1D962DD39173C8DBB0C5EDFB0DFA2A2300E9FAC3AF83120DF438DBD15E97A92DA2AC56D23361A37630EF22
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ED3C.tmp

Filesize
6.0MB

MD5
2fa3f5274eac5341971d7a1283641f74

SHA1
41d817f665103442ddb638fb4f68e205850bbafd

SHA256
ee7e07772e91490b08a18de89ed67bb3ab031721381f14fea817756c4ba60e00

SHA512
9da3c5d1c167603a4d716809f7062d033f4bac17f7b2d825204c3f8e5d9c409e061af68c4697acbc5afe0988f57c57adbc51ff1cfcef4c82b97bff5078ba5981

Download Submit
memory/2672-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/2720-9-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download