93868af6b010f73d9b5fd61c10f163f57c99a3223ece71ae736ca167f0700719

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ba11a38855050471608ebbdcbc8456fbd5d38a06a7fb52d96456fac0bf8cc2f.exe
Size

1.9MB
MD5

53c93c9e8796395844c895f88e1ca274
SHA1

36c71b7717556b42aacc0482a61ba7f3d23b7c21
SHA256

8ba11a38855050471608ebbdcbc8456fbd5d38a06a7fb52d96456fac0bf8cc2f
SHA512

6b71809a015df55709d6eff89c35040127fdb417ef358ef25f5d81c6eeba567f124a5b4f5aa0304fcd4bcf970d3c1a5c88e7cf2afda79f6a66dffb78a0374596
SSDEEP

49152:Qoa1taC070dAD7XgTU7D9VZkSKdPZsDyW:Qoa1taC0d7XyS9fjSZa1

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2104	37F2.tmp

Executes dropped EXE 1 IoCs

pid	Process
2104	37F2.tmp

Loads dropped DLL 1 IoCs

pid	Process
2196	8ba11a38855050471608ebbdcbc8456fbd5d38a06a7fb52d96456fac0bf8cc2f.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ba11a38855050471608ebbdcbc8456fbd5d38a06a7fb52d96456fac0bf8cc2f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37F2.tmp

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2104	2196	8ba11a38855050471608ebbdcbc8456fbd5d38a06a7fb52d96456fac0bf8cc2f.exe	30
PID 2196 wrote to memory of 2104	2196	8ba11a38855050471608ebbdcbc8456fbd5d38a06a7fb52d96456fac0bf8cc2f.exe	30
PID 2196 wrote to memory of 2104	2196	8ba11a38855050471608ebbdcbc8456fbd5d38a06a7fb52d96456fac0bf8cc2f.exe	30
PID 2196 wrote to memory of 2104	2196	8ba11a38855050471608ebbdcbc8456fbd5d38a06a7fb52d96456fac0bf8cc2f.exe	30

C:\Users\Admin\AppData\Local\Temp\8ba11a38855050471608ebbdcbc8456fbd5d38a06a7fb52d96456fac0bf8cc2f.exe
"C:\Users\Admin\AppData\Local\Temp\8ba11a38855050471608ebbdcbc8456fbd5d38a06a7fb52d96456fac0bf8cc2f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\37F2.tmp
  "C:\Users\Admin\AppData\Local\Temp\37F2.tmp" --splashC:\Users\Admin\AppData\Local\Temp\8ba11a38855050471608ebbdcbc8456fbd5d38a06a7fb52d96456fac0bf8cc2f.exe E2B7747640D25D8D0A0524E4DC5D774388DF06C4727BFD276984B43D8BC5445803E39A1E17299E5F6DDEF83E9E0934961BADFEB7D9329952D4511AB9E34AC358
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\37F2.tmp

Filesize
1.9MB

MD5
00b36eda0916fdd54978b363e561abce

SHA1
e45912b5104bbecd50e62e559508ecc225e4cb9a

SHA256
21f3f09ecfcc6887308f649c08d16a2e43f901c9450914cfdb4ff3908eef2105

SHA512
6d62575fe03aa45cfc919efd94c503e8d85946e78fbc186fa243ad0128157a308af46e5363667f6e48b91a0feb75c8683496589eff54d2fb6a3330160ff5849e

Download Submit
memory/2104-6-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/2196-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download