b6e7c9b6f72670061b169ea66ab2b197c3795d66ffb3f3593d94323bc3d11468

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hasleo-wintohdd-5-9.exe
Size

9.3MB
MD5

04c8401b79f024faf424bd3d192105f6
SHA1

bb0f0303bc16c7b09b6a0e60f190464c1fd9b6cb
SHA256

b6e7c9b6f72670061b169ea66ab2b197c3795d66ffb3f3593d94323bc3d11468
SHA512

8ce53f36d4386f81b367bd14a29fbfe2f5be4f090a85ccab0bea89260e74daa08e4d1f853b8c965bdaec32c5cc2815e039a46f54efcdb1d1371b1ef6dd3c4d73
SSDEEP

196608:JeDxdyMMPxLl5WCmAyo4dN6nV91en4+/PlsloDDLOKiH2yBQGp2TnQK:JeDHywouiC4+HlslMHOH2k2TP

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2712	hasleo-wintohdd-5-9.tmp

Loads dropped DLL 2 IoCs

pid	Process
296	hasleo-wintohdd-5-9.exe
2712	hasleo-wintohdd-5-9.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hasleo-wintohdd-5-9.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hasleo-wintohdd-5-9.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 296 wrote to memory of 2712	296	hasleo-wintohdd-5-9.exe	30
PID 296 wrote to memory of 2712	296	hasleo-wintohdd-5-9.exe	30
PID 296 wrote to memory of 2712	296	hasleo-wintohdd-5-9.exe	30
PID 296 wrote to memory of 2712	296	hasleo-wintohdd-5-9.exe	30
PID 296 wrote to memory of 2712	296	hasleo-wintohdd-5-9.exe	30
PID 296 wrote to memory of 2712	296	hasleo-wintohdd-5-9.exe	30
PID 296 wrote to memory of 2712	296	hasleo-wintohdd-5-9.exe	30

C:\Users\Admin\AppData\Local\Temp\hasleo-wintohdd-5-9.exe
"C:\Users\Admin\AppData\Local\Temp\hasleo-wintohdd-5-9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:296
- C:\Users\Admin\AppData\Local\Temp\is-NEO5P.tmp\hasleo-wintohdd-5-9.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NEO5P.tmp\hasleo-wintohdd-5-9.tmp" /SL5="$30158,9309272,131584,C:\Users\Admin\AppData\Local\Temp\hasleo-wintohdd-5-9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-89VFH.tmp\unins000.dll

Filesize
748KB

MD5
d484948eb2fb6b29a12192e83ba1444a

SHA1
4ea95f20523b5da009a8302b191afce3ccac8341

SHA256
fe03060db07eee874fbdd5a97dbb6cd20f519b385ea1a28b9ba6b15e351f3d87

SHA512
c4e575abbdb5d84c095a8268e477ce9546ab43522c20949d2c273e8372486d03c4907b0310280137c1cf4e20d0a2aa69120d000e4a4f799ced75d8ef7e2b28ad

Download Submit
\Users\Admin\AppData\Local\Temp\is-NEO5P.tmp\hasleo-wintohdd-5-9.tmp

Filesize
1.1MB

MD5
1d3838613ecc9e4f9edea6a722380add

SHA1
7f47a17a977b5bdad81e159ef7468adb9d5a22a1

SHA256
9245d179299f957b6550dd48a79d4aa1d684a66192474a47b6f16721dd4198ca

SHA512
aab911953effb4692f335f9e6b2da2221972c5a5a17b62f67945803ee4714e3aa59843fcede58878c3737cff0339c9d3fccd026fb2369a1ae15b74cc2eb84dbe

Download Submit
memory/296-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/296-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/296-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2712-8-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/2712-15-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download