6d79593133b8c2087f0f875bd6e486230b4b700696c9bc9bff9c483b95e27997

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d79593133b8c2087f0f875bd6e486230b4b700696c9bc9bff9c483b95e27997N.exe
Size

268KB
MD5

e443c8f575023f918ab41edf215b1510
SHA1

4c6bae51391e8a9ee321e39b22faf27c9d1f9e45
SHA256

6d79593133b8c2087f0f875bd6e486230b4b700696c9bc9bff9c483b95e27997
SHA512

de9bfbc6f8ca0061a6c6f7c557ab693bdbfedcf350e98f2cd63143dc4cadb7aa0684f9a02a1c25da1d6bee287ccbf9d70df7c7403b68010d47c456d60b9963a4
SSDEEP

3072:06DHJNVC58GjaDTXLWiFfPu7CACs/0I3T8aftrGCXmnmO:06Dpy6GG6qXuG7rUAkyCX

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1904	6d79593133b8c2087f0f875bd6e486230b4b700696c9bc9bff9c483b95e27997N.exe

Executes dropped EXE 1 IoCs

pid	Process
1904	6d79593133b8c2087f0f875bd6e486230b4b700696c9bc9bff9c483b95e27997N.exe

Loads dropped DLL 1 IoCs

pid	Process
2284	6d79593133b8c2087f0f875bd6e486230b4b700696c9bc9bff9c483b95e27997N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d79593133b8c2087f0f875bd6e486230b4b700696c9bc9bff9c483b95e27997N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2284	6d79593133b8c2087f0f875bd6e486230b4b700696c9bc9bff9c483b95e27997N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1904	6d79593133b8c2087f0f875bd6e486230b4b700696c9bc9bff9c483b95e27997N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 1904	2284	6d79593133b8c2087f0f875bd6e486230b4b700696c9bc9bff9c483b95e27997N.exe	31
PID 2284 wrote to memory of 1904	2284	6d79593133b8c2087f0f875bd6e486230b4b700696c9bc9bff9c483b95e27997N.exe	31
PID 2284 wrote to memory of 1904	2284	6d79593133b8c2087f0f875bd6e486230b4b700696c9bc9bff9c483b95e27997N.exe	31
PID 2284 wrote to memory of 1904	2284	6d79593133b8c2087f0f875bd6e486230b4b700696c9bc9bff9c483b95e27997N.exe	31

C:\Users\Admin\AppData\Local\Temp\6d79593133b8c2087f0f875bd6e486230b4b700696c9bc9bff9c483b95e27997N.exe
"C:\Users\Admin\AppData\Local\Temp\6d79593133b8c2087f0f875bd6e486230b4b700696c9bc9bff9c483b95e27997N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Users\Admin\AppData\Local\Temp\6d79593133b8c2087f0f875bd6e486230b4b700696c9bc9bff9c483b95e27997N.exe
  C:\Users\Admin\AppData\Local\Temp\6d79593133b8c2087f0f875bd6e486230b4b700696c9bc9bff9c483b95e27997N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6d79593133b8c2087f0f875bd6e486230b4b700696c9bc9bff9c483b95e27997N.exe

Filesize
268KB

MD5
a01ab7b3a37331c5c1a5cbdd555bf686

SHA1
be6482948959b9508a4ba7d44175867ea1ff9710

SHA256
bbabc1c85ad72000bf217e0d1d60d74bc5fa8c5863fb7dfea2eb94a4e65360af

SHA512
c2efd12792b9ed663bfb6452d7f8ad865952481ba65f183e467d2214093a1d980522fee24473505b321754a8e44062c301781d90119d13cc0ada70b6629202ec

Download Submit
memory/1904-17-0x0000000000130000-0x0000000000173000-memory.dmp

Filesize
268KB

Download
memory/1904-12-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1904-11-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1904-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2284-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2284-9-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download