90afea750965d4cf4417e85f801484f26dd2b019a48c036442f1024d9c106627

Analysis

max time kernel
80s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87ca1f20008c059dad9a11dac796f880N.exe
Size

268KB
MD5

87ca1f20008c059dad9a11dac796f880
SHA1

d74b4a3c65100297f479dcafa719160625084180
SHA256

90afea750965d4cf4417e85f801484f26dd2b019a48c036442f1024d9c106627
SHA512

22d9735d07ad99dbe35cb5175c102201f691a3a08516dc808784cf5503ae32449230a278b3ef7d72b64b53a5a50fb8508638a047630520d460a4592f94f4cb65
SSDEEP

6144:OE7ajqCr7i0fYl4KLTQWA4VRfLM34Tb6wHiAUgP4/Q+t24RIngW4:OHiH5bMxynp4

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2088	87ca1f20008c059dad9a11dac796f880N.exe

Executes dropped EXE 1 IoCs

pid	Process
2088	87ca1f20008c059dad9a11dac796f880N.exe

Loads dropped DLL 1 IoCs

pid	Process
2124	87ca1f20008c059dad9a11dac796f880N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87ca1f20008c059dad9a11dac796f880N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2124	87ca1f20008c059dad9a11dac796f880N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2088	87ca1f20008c059dad9a11dac796f880N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2088	2124	87ca1f20008c059dad9a11dac796f880N.exe	31
PID 2124 wrote to memory of 2088	2124	87ca1f20008c059dad9a11dac796f880N.exe	31
PID 2124 wrote to memory of 2088	2124	87ca1f20008c059dad9a11dac796f880N.exe	31
PID 2124 wrote to memory of 2088	2124	87ca1f20008c059dad9a11dac796f880N.exe	31

C:\Users\Admin\AppData\Local\Temp\87ca1f20008c059dad9a11dac796f880N.exe
"C:\Users\Admin\AppData\Local\Temp\87ca1f20008c059dad9a11dac796f880N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\87ca1f20008c059dad9a11dac796f880N.exe
  C:\Users\Admin\AppData\Local\Temp\87ca1f20008c059dad9a11dac796f880N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\87ca1f20008c059dad9a11dac796f880N.exe

Filesize
268KB

MD5
f85d0a9b51bed2e275598a10c577de10

SHA1
e420c3a9b3319f8c186eac7f9a9376f0d6e3f4fc

SHA256
13ab04e2487afed313d19834aa9d1f203b5d4618d97f471e498694f45a83f8d2

SHA512
6c20e96d1afd339ca1546e18958f9b49b4a0db1cc7550973526e74c56610d38bf405af8fd4ab3383c17ca79405a0c62a27d5a61843991121736bfaed3ce7bf0c

Download Submit
memory/2088-17-0x0000000002B70000-0x0000000002BB3000-memory.dmp

Filesize
268KB

Download
memory/2088-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2088-11-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2088-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2124-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2124-9-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download