7d913b951e9429f947e60cf45f18b96f5b2c11eaa972395626d81c916e351637

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 19:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1c51eda91d1cdee4129dec6cb1b035e0N.exe
Size

4.2MB
MD5

1c51eda91d1cdee4129dec6cb1b035e0
SHA1

1309b91af6660a20cda1277f8e718340ada259d1
SHA256

7d913b951e9429f947e60cf45f18b96f5b2c11eaa972395626d81c916e351637
SHA512

a1a9c7128fd295669e23740214e0ee62a1a10b02fc71c2b059053df86c7bd1ad9cd1b2bef5e3a48b69bbdeea3f64ccf1f2c4353f3e023c5e9e4c62ad2080aa82
SSDEEP

98304:Cmhd1UryeKqTnGpVTApd4RVLUjH5oxFbxhVLUjH5oxFbx:ClPTn+tVUjZEdhVUjZEd

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2108	8F35.tmp

Executes dropped EXE 1 IoCs

pid	Process
2108	8F35.tmp

Loads dropped DLL 2 IoCs

pid	Process
2092	1c51eda91d1cdee4129dec6cb1b035e0N.exe
2092	1c51eda91d1cdee4129dec6cb1b035e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c51eda91d1cdee4129dec6cb1b035e0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2108	2092	1c51eda91d1cdee4129dec6cb1b035e0N.exe	30
PID 2092 wrote to memory of 2108	2092	1c51eda91d1cdee4129dec6cb1b035e0N.exe	30
PID 2092 wrote to memory of 2108	2092	1c51eda91d1cdee4129dec6cb1b035e0N.exe	30
PID 2092 wrote to memory of 2108	2092	1c51eda91d1cdee4129dec6cb1b035e0N.exe	30

C:\Users\Admin\AppData\Local\Temp\1c51eda91d1cdee4129dec6cb1b035e0N.exe
"C:\Users\Admin\AppData\Local\Temp\1c51eda91d1cdee4129dec6cb1b035e0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\8F35.tmp
  "C:\Users\Admin\AppData\Local\Temp\8F35.tmp" --splashC:\Users\Admin\AppData\Local\Temp\1c51eda91d1cdee4129dec6cb1b035e0N.exe B2943FF4CEB797EB99B09C9E7EF36E5BE95162FFA4973C10FB922BCBA3218AC97637BF1B3130EDB1A121D8542FEAD7C0A94B2829F927C5A6D7420766C3A82036
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\8F35.tmp

Filesize
4.2MB

MD5
cfa9adc2aa78aaca09f69fdf54459616

SHA1
dc53e87a0ce16fd91745856e22811d4383128d19

SHA256
1638b1b9634c01bf8304cd74e22455e7d0207202d8183312fc90a9a699a395ec

SHA512
243ba28e4f6510d5b7ae86cf0ecdde5d992576e3a755c6f896016e8ac318a371d3d753e4a2d688331bf096b2c8d4f1d393e8e69e06e472c32b1c746c0d2a6e61

Download Submit
memory/2092-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/2108-9-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download