dd068030a4ceb78ecf50e8e6aeb29dd671c2be38fdbdbb0362b50f3988685f60

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4709b8225e809d299d2f36edae8aa6d0N.exe
Size

7.7MB
MD5

4709b8225e809d299d2f36edae8aa6d0
SHA1

625cc05c98964ddf4228890f569fb2ea52f51223
SHA256

dd068030a4ceb78ecf50e8e6aeb29dd671c2be38fdbdbb0362b50f3988685f60
SHA512

5a4b99b66ddc872fe1749d86eb62d6e6126c692589ccbbf7ac169a851c418b21c938ad0793ef1699390dea28d494c8afaa43dd74a69d6a598df7f4fab35f7fc5
SSDEEP

98304:emhd1Urye05eoHtieWWNFVbrV7wQqZUha5jtSyZIUbs:elweoHtxl7Vv2QbaZtlin

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2124	B0C9.tmp

Executes dropped EXE 1 IoCs

pid	Process
2124	B0C9.tmp

Loads dropped DLL 2 IoCs

pid	Process
1800	4709b8225e809d299d2f36edae8aa6d0N.exe
1800	4709b8225e809d299d2f36edae8aa6d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4709b8225e809d299d2f36edae8aa6d0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 2124	1800	4709b8225e809d299d2f36edae8aa6d0N.exe	30
PID 1800 wrote to memory of 2124	1800	4709b8225e809d299d2f36edae8aa6d0N.exe	30
PID 1800 wrote to memory of 2124	1800	4709b8225e809d299d2f36edae8aa6d0N.exe	30
PID 1800 wrote to memory of 2124	1800	4709b8225e809d299d2f36edae8aa6d0N.exe	30

C:\Users\Admin\AppData\Local\Temp\4709b8225e809d299d2f36edae8aa6d0N.exe
"C:\Users\Admin\AppData\Local\Temp\4709b8225e809d299d2f36edae8aa6d0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\Temp\B0C9.tmp
  "C:\Users\Admin\AppData\Local\Temp\B0C9.tmp" --splashC:\Users\Admin\AppData\Local\Temp\4709b8225e809d299d2f36edae8aa6d0N.exe 25CC28C8AD0C414E8F5221DE361772F776A0329A7CAACFE14C07DF2B59CB975550202EA29575F9B02A3CE4B0F00C28A46C76D8EBB80F420D86D6DE6635068CB3
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\B0C9.tmp

Filesize
7.7MB

MD5
1a88df113b6d3aa5940a5f01b3efeb83

SHA1
3195d41eb47af032e7b018957bbd03b6b41ea7de

SHA256
efea46f40bfdc71f9e1f7709159d1842ef471215e00fe4008305ee1cfe5f3061

SHA512
9bf7a59ffa5f789318b1a5b362f9875dd556df50cc8624cb1d9c2bc19334a515d47cffe08bfb7347efb1d9d4c3b434d197753dfac567b92dcf24c1e065ad1ba3

Download Submit
memory/1800-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/2124-9-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download