2ecd1b9ea7d142902442f3e0450d72b77c53d77f98326db4668190b7634a1e17

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1957489ed17efbc72a36495addf22c0N.exe
Size

55KB
MD5

c1957489ed17efbc72a36495addf22c0
SHA1

9fec8ac0ece8b00fb4b1393e75070e0fa7f1d39f
SHA256

2ecd1b9ea7d142902442f3e0450d72b77c53d77f98326db4668190b7634a1e17
SHA512

b6ec3d2f2544b12bab2d477c5cbbe87a1696e1f431b3435311994bb764f884a3220da8ff7f0565a0b761cb82b432c32a1e831b44f46dad7b508d9fc2d2086c09
SSDEEP

768:AzCzDHjqcg3fwgpYK/k59zck/fDBmaXjWDrNKgUOOm58yOqIXxv6Yfv:fM3fiXjWvNKCOm53OqXQv

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2672	plote.exe

Loads dropped DLL 1 IoCs

pid	Process
1444	c1957489ed17efbc72a36495addf22c0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1957489ed17efbc72a36495addf22c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plote.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1444	c1957489ed17efbc72a36495addf22c0N.exe
2672	plote.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 2672	1444	c1957489ed17efbc72a36495addf22c0N.exe	30
PID 1444 wrote to memory of 2672	1444	c1957489ed17efbc72a36495addf22c0N.exe	30
PID 1444 wrote to memory of 2672	1444	c1957489ed17efbc72a36495addf22c0N.exe	30
PID 1444 wrote to memory of 2672	1444	c1957489ed17efbc72a36495addf22c0N.exe	30

C:\Users\Admin\AppData\Local\Temp\c1957489ed17efbc72a36495addf22c0N.exe
"C:\Users\Admin\AppData\Local\Temp\c1957489ed17efbc72a36495addf22c0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\plote.exe
  "C:\Users\Admin\AppData\Local\Temp\plote.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\plote.exe

Filesize
56KB

MD5
6a44d2bd714d19cd47f78289384c63de

SHA1
6b1fd4dd86ac98b5fe5e7caa76b757b0dac1b8e2

SHA256
d5032dca31498e25c7b89d2eeda78b9d5d892b3c0634bfe76e39fecdac4d4675

SHA512
4bf66865b1ebf9cfeba6bb77fdbfb1653d2a58e57db6775f28ac4a7105474a8a15700030dd0734637ebc777cf845da3c32f5543348fc0ca519936b2b8c061e23

Download Submit
memory/1444-0-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/1444-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1444-8-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2672-16-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download