72b888bc6a6dceacf96659ff0352c80d1ad377460ea27ef8509d3c875926365d

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

339578335d562261768d729fa085b4a0N.exe
Size

5.4MB
MD5

339578335d562261768d729fa085b4a0
SHA1

6aa01e749e3571fc57804b03a97bae2942722d32
SHA256

72b888bc6a6dceacf96659ff0352c80d1ad377460ea27ef8509d3c875926365d
SHA512

d0e1147a97226227f95c39cbeb998831e94b7e565b4d087f7c07b391ee475b838708c0125c9d033f60fcdfa46094a7bf12f45f41901109b804e89609f0f281b8
SSDEEP

98304:emhd1UryeoRZ8Ilk/CusWuTDPV7wQqZUha5jtSyZIUh:elIRmH6P2QbaZtliU

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1432	9109.tmp

Executes dropped EXE 1 IoCs

pid	Process
1432	9109.tmp

Loads dropped DLL 2 IoCs

pid	Process
1740	339578335d562261768d729fa085b4a0N.exe
1740	339578335d562261768d729fa085b4a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	339578335d562261768d729fa085b4a0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1432	1740	339578335d562261768d729fa085b4a0N.exe	30
PID 1740 wrote to memory of 1432	1740	339578335d562261768d729fa085b4a0N.exe	30
PID 1740 wrote to memory of 1432	1740	339578335d562261768d729fa085b4a0N.exe	30
PID 1740 wrote to memory of 1432	1740	339578335d562261768d729fa085b4a0N.exe	30

C:\Users\Admin\AppData\Local\Temp\339578335d562261768d729fa085b4a0N.exe
"C:\Users\Admin\AppData\Local\Temp\339578335d562261768d729fa085b4a0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\9109.tmp
  "C:\Users\Admin\AppData\Local\Temp\9109.tmp" --splashC:\Users\Admin\AppData\Local\Temp\339578335d562261768d729fa085b4a0N.exe A2EDCA59385B6803A71BB59C8F3B8E42DE960FCE0DDC410581F1DEA4097F8BDC60D923AC19734C0155F3342E86A1CAB48149E9F39609BA7F28D9D0F93BFDEF8A
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\9109.tmp

Filesize
5.4MB

MD5
13290d3bfe84198711811ee7ef49ad7e

SHA1
046753709d8b213b5720926ededcb96333b60c73

SHA256
cb208fbb96bb3a8b27c40a40f2b02cec6972a662bb3570e34c722892d01870e0

SHA512
5aabc63739560f343b365da8d638720b47613f2e2956f1bbe73acbfd940fb84e9e446bc7857b5a114c77692225abac7845daf6a02677e5e37940e97af5fd8eff

Download Submit
memory/1432-9-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/1740-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download