e42723f62a2d0a2d08511d0466a61faaa3b8ec167835a06b8a2b1cf18e4e77f5

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e42723f62a2d0a2d08511d0466a61faaa3b8ec167835a06b8a2b1cf18e4e77f5N.exe
Size

83KB
MD5

02d306f3419c57e26cb9073e11a0ff10
SHA1

ee1c9e610a4dfce3fe69598a74195f2683d167b1
SHA256

e42723f62a2d0a2d08511d0466a61faaa3b8ec167835a06b8a2b1cf18e4e77f5
SHA512

1e23f5899c06aa4096ae4f410741dddfd6ec82f0aa34c2937e0ea26b4a51295d87847d2768ab135552a5b0d4b3818ad32b649a1cebe8a3debdaf71aa4203096d
SSDEEP

1536:lvzSTvsdPw1OQA8A0qUhMb2nuy5wgIP0CS3q+5yoB8GMGlZ54:lvzSzLsGhqU7uy5w9NMyoN54

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1960	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
2728	cmd.exe
2728	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e42723f62a2d0a2d08511d0466a61faaa3b8ec167835a06b8a2b1cf18e4e77f5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2728	2248	e42723f62a2d0a2d08511d0466a61faaa3b8ec167835a06b8a2b1cf18e4e77f5N.exe	30
PID 2248 wrote to memory of 2728	2248	e42723f62a2d0a2d08511d0466a61faaa3b8ec167835a06b8a2b1cf18e4e77f5N.exe	30
PID 2248 wrote to memory of 2728	2248	e42723f62a2d0a2d08511d0466a61faaa3b8ec167835a06b8a2b1cf18e4e77f5N.exe	30
PID 2248 wrote to memory of 2728	2248	e42723f62a2d0a2d08511d0466a61faaa3b8ec167835a06b8a2b1cf18e4e77f5N.exe	30
PID 2728 wrote to memory of 1960	2728	cmd.exe	31
PID 2728 wrote to memory of 1960	2728	cmd.exe	31
PID 2728 wrote to memory of 1960	2728	cmd.exe	31
PID 2728 wrote to memory of 1960	2728	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\e42723f62a2d0a2d08511d0466a61faaa3b8ec167835a06b8a2b1cf18e4e77f5N.exe
"C:\Users\Admin\AppData\Local\Temp\e42723f62a2d0a2d08511d0466a61faaa3b8ec167835a06b8a2b1cf18e4e77f5N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
83KB

MD5
e99d2d9bea378b5b8de72fedcb0637d8

SHA1
aa3dc0d8b61e8f40c786e7802b67f33f37a4e86a

SHA256
8a23785276fdffd79fccf3a9e1c9ea3afed1ee0eefe9bb303cf135fe52066156

SHA512
e06db7b03c173f8be77f69d84802299ba4860ba78bf9e3f581cb02ef423e31ec775724793c58fa8f25b797d0e81a64cd6e3f7480310806bcdda5c93dbe3dac5d

Download Submit
memory/1960-7-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2248-8-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download