d2f22e78bd14d06323792b2c8b9badb76e8e92f6134159f6c22207e4424e27eb

Analysis

max time kernel
84s
max time network
21s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 14:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ca1c37e794ad68a0e56b1a300eaac440N.exe
Size

5.3MB
MD5

ca1c37e794ad68a0e56b1a300eaac440
SHA1

273d32916589891faaed897af6685a2f6b20c4fa
SHA256

d2f22e78bd14d06323792b2c8b9badb76e8e92f6134159f6c22207e4424e27eb
SHA512

48747e09093142124d657a618cb07c44e7800928e29aff1cc6a076feb2f4944a5b244d296c1a0bdbc7f9626792d3b7e73932aa3e8fb2e95ddce08ffda88dc739
SSDEEP

6144:6f03KzLYxGUtLc5zFaLHzvbwtpO+VPQA62Q:6c6zLpUtKQHTopBVpM

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1308	ca1c37e794ad68a0e56b1a300eaac440N.exe
1308	ca1c37e794ad68a0e56b1a300eaac440N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3032	1308	WerFault.exe	28

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca1c37e794ad68a0e56b1a300eaac440N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 3032	1308	ca1c37e794ad68a0e56b1a300eaac440N.exe	29
PID 1308 wrote to memory of 3032	1308	ca1c37e794ad68a0e56b1a300eaac440N.exe	29
PID 1308 wrote to memory of 3032	1308	ca1c37e794ad68a0e56b1a300eaac440N.exe	29
PID 1308 wrote to memory of 3032	1308	ca1c37e794ad68a0e56b1a300eaac440N.exe	29

C:\Users\Admin\AppData\Local\Temp\ca1c37e794ad68a0e56b1a300eaac440N.exe
"C:\Users\Admin\AppData\Local\Temp\ca1c37e794ad68a0e56b1a300eaac440N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 200
  2⤵
  - Program crash
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ECUREYT.exe

Filesize
5.4MB

MD5
b786bfbcb220d788d6886b7ef6d2c5e9

SHA1
b208543a66cc3d1cd7d478c327c433f6a73e2642

SHA256
606ef657a13d82a158a78e08590260ddd85f5b11c9d5ea9b9855a59b3b66fe5b

SHA512
4edc6a6744416acd5946972b6f30826b9037820594ede5992dab6a8cfd8f68148a5d23b3921dba0ad0a2689bde84ab96d1046053399efee58b104878ae10f2aa

Download Submit