c36c7898ea1e32282bf5d92451f873e9f6b93ef0f33890838e3dd82e4b2d7d98

Analysis

max time kernel
13s
max time network
14s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c36c7898ea1e32282bf5d92451f873e9f6b93ef0f33890838e3dd82e4b2d7d98N.exe
Size

79KB
MD5

c9fc1fbee467db8bf732e1d9c7c11f30
SHA1

f5e51cc60587fa7b275fa2f0506ca68499e07a50
SHA256

c36c7898ea1e32282bf5d92451f873e9f6b93ef0f33890838e3dd82e4b2d7d98
SHA512

1105cbca7a367c2f56aea8a459d9d625e075e5193f5bce0d46033e84e2816824dda287efc3610cbc9b907b8659d3bbee993b4906b86877e03c383881f6df0513
SSDEEP

1536:zvdtbD/STEiCoOQA8AkqUhMb2nuy5wgIP0CSJ+5yEB8GMGlZ5G:zvdtPS7CtGdqU7uy5w9WMyEN5G

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
112	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
1780	cmd.exe
1780	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c36c7898ea1e32282bf5d92451f873e9f6b93ef0f33890838e3dd82e4b2d7d98N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 1780	2244	c36c7898ea1e32282bf5d92451f873e9f6b93ef0f33890838e3dd82e4b2d7d98N.exe	31
PID 2244 wrote to memory of 1780	2244	c36c7898ea1e32282bf5d92451f873e9f6b93ef0f33890838e3dd82e4b2d7d98N.exe	31
PID 2244 wrote to memory of 1780	2244	c36c7898ea1e32282bf5d92451f873e9f6b93ef0f33890838e3dd82e4b2d7d98N.exe	31
PID 2244 wrote to memory of 1780	2244	c36c7898ea1e32282bf5d92451f873e9f6b93ef0f33890838e3dd82e4b2d7d98N.exe	31
PID 1780 wrote to memory of 112	1780	cmd.exe	32
PID 1780 wrote to memory of 112	1780	cmd.exe	32
PID 1780 wrote to memory of 112	1780	cmd.exe	32
PID 1780 wrote to memory of 112	1780	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\c36c7898ea1e32282bf5d92451f873e9f6b93ef0f33890838e3dd82e4b2d7d98N.exe
"C:\Users\Admin\AppData\Local\Temp\c36c7898ea1e32282bf5d92451f873e9f6b93ef0f33890838e3dd82e4b2d7d98N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
79KB

MD5
4b151a6bbf0f14947d140c606ee7c72d

SHA1
00cc9e2f1c7560c215b489b3e186ba20921ee188

SHA256
206c78ba453901ce3b17c7d727cd60bb2c4202f463e104bf8eb19b59713750a7

SHA512
f95d95e997e676fb35e213db4e36e4f777c5d7e6a65d9b97ceb6355cc703e83efc5b7eeeb595bc104c454fa50904f68d1dd4e28337955c3da17dc84a637a96ad

Download Submit
memory/112-7-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2244-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download