8c6370dd5a77b5901eaca9861870e57b2c5fa4439acba42f3be699d9ce47df77

Analysis

max time kernel
101s
max time network
114s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 11:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d3243db30a2fa7e6c0ea82e87dcb9bb0N.exe
Size

38KB
MD5

d3243db30a2fa7e6c0ea82e87dcb9bb0
SHA1

6c6bb1f27118216e4f64d84e486c9b3680ca044d
SHA256

8c6370dd5a77b5901eaca9861870e57b2c5fa4439acba42f3be699d9ce47df77
SHA512

b516ba625b1393e892daba79f6cd3eafca37c43758b3ce8fb3df754c8ee7b449b544e34136fa05363a4a3b62616cb69a923e873bed5534cff9473407e9527768
SSDEEP

384:cIZAvJmRPDN/jSyC8MxVLzFXME7dgPWlL1lQRs4bIoJu/QXl29Xn:hAvJ4LSyC8aVN7X4bIos/ul21n

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2356	comhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2252	d3243db30a2fa7e6c0ea82e87dcb9bb0N.exe
2252	d3243db30a2fa7e6c0ea82e87dcb9bb0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3243db30a2fa7e6c0ea82e87dcb9bb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comhost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2356	2252	d3243db30a2fa7e6c0ea82e87dcb9bb0N.exe	29
PID 2252 wrote to memory of 2356	2252	d3243db30a2fa7e6c0ea82e87dcb9bb0N.exe	29
PID 2252 wrote to memory of 2356	2252	d3243db30a2fa7e6c0ea82e87dcb9bb0N.exe	29
PID 2252 wrote to memory of 2356	2252	d3243db30a2fa7e6c0ea82e87dcb9bb0N.exe	29

C:\Users\Admin\AppData\Local\Temp\d3243db30a2fa7e6c0ea82e87dcb9bb0N.exe
"C:\Users\Admin\AppData\Local\Temp\d3243db30a2fa7e6c0ea82e87dcb9bb0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\comhost.exe
  "C:\Users\Admin\AppData\Local\Temp\comhost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\comhost.exe

Filesize
38KB

MD5
2c4f9a4f8fa3e74cbc29f3fb61433fa8

SHA1
41893d07fa994b29455bbea180a0974d4564be3a

SHA256
2b0c138c25ee14c3b3ec77679af0f3b4bbfe4862b85065f6bb577f2fbaf5f106

SHA512
a9df2f4e81f1c0d51ddedf44809cb292fe5168cbc487246ac1a0dfb2f295d45c37d07c80d1ee7282dbcea7b6a5ebd18d5606cb98d02966aac03d1e35f1f84420

Download Submit
memory/2252-1-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/2356-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download