f8993cf0a13035950281d2f741a105dfee445937b17a8fa4b6a8275e19690da1

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 04:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f8993cf0a13035950281d2f741a105dfee445937b17a8fa4b6a8275e19690da1N.exe
Size

7.6MB
MD5

4d93474aa8eabe115c04ee2c1f0a6cd0
SHA1

0930859adc104aa795337b5bc96698e83a914e0e
SHA256

f8993cf0a13035950281d2f741a105dfee445937b17a8fa4b6a8275e19690da1
SHA512

3d1ddc4cadae8a8945b60df3c094b68c5c913ef39a9ff892847ee1066bd9a7034d7f09dd3a21d92d5efa4e30b5c01b59aa33fd4261575fbb3fdabffadd0d9fa6
SSDEEP

98304:emhd1UryeNDOk5bf/n4qNnKxO+LqBV7wQqZUha5jtSyZIUbj:eltnHn4qNKlA2QbaZtliW

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2160	C745.tmp

Executes dropped EXE 1 IoCs

pid	Process
2160	C745.tmp

Loads dropped DLL 2 IoCs

pid	Process
1480	f8993cf0a13035950281d2f741a105dfee445937b17a8fa4b6a8275e19690da1N.exe
1480	f8993cf0a13035950281d2f741a105dfee445937b17a8fa4b6a8275e19690da1N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8993cf0a13035950281d2f741a105dfee445937b17a8fa4b6a8275e19690da1N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 2160	1480	f8993cf0a13035950281d2f741a105dfee445937b17a8fa4b6a8275e19690da1N.exe	30
PID 1480 wrote to memory of 2160	1480	f8993cf0a13035950281d2f741a105dfee445937b17a8fa4b6a8275e19690da1N.exe	30
PID 1480 wrote to memory of 2160	1480	f8993cf0a13035950281d2f741a105dfee445937b17a8fa4b6a8275e19690da1N.exe	30
PID 1480 wrote to memory of 2160	1480	f8993cf0a13035950281d2f741a105dfee445937b17a8fa4b6a8275e19690da1N.exe	30

C:\Users\Admin\AppData\Local\Temp\f8993cf0a13035950281d2f741a105dfee445937b17a8fa4b6a8275e19690da1N.exe
"C:\Users\Admin\AppData\Local\Temp\f8993cf0a13035950281d2f741a105dfee445937b17a8fa4b6a8275e19690da1N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Local\Temp\C745.tmp
  "C:\Users\Admin\AppData\Local\Temp\C745.tmp" --splashC:\Users\Admin\AppData\Local\Temp\f8993cf0a13035950281d2f741a105dfee445937b17a8fa4b6a8275e19690da1N.exe 1815163BB6C9B9B41B543A697352219DF1FCE83A20273496672F22AE2472AB9C86FB15422D7D772AB53A0E70AD01F0ED47076FE4470CF27D426477F8BEFFE01E
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\C745.tmp

Filesize
7.6MB

MD5
29fccf59a3fd6d0057cbb7c92640d55a

SHA1
8e30fc046be2b1887a88a03df6fe33f541813d85

SHA256
6cdb6da8d170984e9f326f8cda06bc1bd42c9e9a794e41e5a1d39724492243c5

SHA512
520142e541a76df1d7c8562cf51c6881b3aea5f983dc80287c22c944e02ba0add8f72b728c8e1936e54bffc73a6699c98cf039d053e15b81ad098f447e18055c

Download Submit
memory/1480-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/2160-9-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download