37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7c

Analysis

max time kernel
75s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe
Size

4.2MB
MD5

7838d252ba4b3d75f9b202f325cdb830
SHA1

de7022425617f80cfa0fd9922dfab3a9cfb17735
SHA256

37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7c
SHA512

aedcdd7327155d25799b42f29bca9632f186470dc5e51d3893b80770656078808d364060b6f091bbfba6b05709b3cf25c3a221278051799403fee95423a97f2b
SSDEEP

98304:Cmhd1UryeqmSVrXfBVVLUjH5oxFbxhVLUjH5oxFbx:ClKRVTXVUjZEdhVUjZEd

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2500	E447.tmp

Executes dropped EXE 1 IoCs

pid	Process
2500	E447.tmp

Loads dropped DLL 2 IoCs

pid	Process
1916	37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe
1916	37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2500	1916	37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe	31
PID 1916 wrote to memory of 2500	1916	37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe	31
PID 1916 wrote to memory of 2500	1916	37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe	31
PID 1916 wrote to memory of 2500	1916	37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe	31

C:\Users\Admin\AppData\Local\Temp\37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe
"C:\Users\Admin\AppData\Local\Temp\37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\E447.tmp
  "C:\Users\Admin\AppData\Local\Temp\E447.tmp" --splashC:\Users\Admin\AppData\Local\Temp\37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe 582DF4FFE06C7B9BBEFEF5B06BD589F13D90838F589269ED587CDDED0D2832DAFC9DA1D63BAA526AC5E002B78EC9FC4865CCC283AF14EE86FCC304C343CB5C62
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\E447.tmp

Filesize
4.2MB

MD5
016a0faf76b8df240fec1e2a1fcaae77

SHA1
2eab08df1e3186f340192558476cb2aae2b9fa3f

SHA256
0978413d936d424c3bda3d2826b8aa6b88634258e80fa2b6f1d581b6ef636b44

SHA512
7c556374d844b5de96710e77274415bb40ea988896375f3d62b44ce5ce8a89baabec4fbe34124ade06d6cd2fa665fa1a53b06c24b16e8c7a20ca4ac36d6cd08a

Download Submit
memory/1916-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/2500-9-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download