7da1cb608947938449c75ec2d1b4b6b34f6e2aa59448c847f31d51a221a4a639

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7da1cb608947938449c75ec2d1b4b6b34f6e2aa59448c847f31d51a221a4a639N.exe
Size

7.0MB
MD5

131db5bbbf8f628f43b3fa6fdc5bb150
SHA1

99f2e6094a788ee9496440498403060daa14c5f5
SHA256

7da1cb608947938449c75ec2d1b4b6b34f6e2aa59448c847f31d51a221a4a639
SHA512

8c375860cee8e8d46fe6110d1c5b0fe93573cf08d73a0cab2fa021bd680af525e5f05ec0bbc50398e43a3b6b75c3a5dca492adeb0e01544402fc9a78d6241328
SSDEEP

98304:emhd1Urye7a5KsFI+E9FhJnmPHV7wQqZUha5jtSyZIUbn:elb8KiE9FhJmf2QbaZtliK

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4524	80A9.tmp

Executes dropped EXE 1 IoCs

pid	Process
4524	80A9.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7da1cb608947938449c75ec2d1b4b6b34f6e2aa59448c847f31d51a221a4a639N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80A9.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 4524	968	7da1cb608947938449c75ec2d1b4b6b34f6e2aa59448c847f31d51a221a4a639N.exe	82
PID 968 wrote to memory of 4524	968	7da1cb608947938449c75ec2d1b4b6b34f6e2aa59448c847f31d51a221a4a639N.exe	82
PID 968 wrote to memory of 4524	968	7da1cb608947938449c75ec2d1b4b6b34f6e2aa59448c847f31d51a221a4a639N.exe	82

C:\Users\Admin\AppData\Local\Temp\7da1cb608947938449c75ec2d1b4b6b34f6e2aa59448c847f31d51a221a4a639N.exe
"C:\Users\Admin\AppData\Local\Temp\7da1cb608947938449c75ec2d1b4b6b34f6e2aa59448c847f31d51a221a4a639N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:968
- C:\Users\Admin\AppData\Local\Temp\80A9.tmp
  "C:\Users\Admin\AppData\Local\Temp\80A9.tmp" --splashC:\Users\Admin\AppData\Local\Temp\7da1cb608947938449c75ec2d1b4b6b34f6e2aa59448c847f31d51a221a4a639N.exe 68BDFBAF0E4759C6B9259D016D2AA16A2A739309832F15B406FC77C43FF08575DB108C0F7171E27963CA485CA5478C0997FA96EEBEC764E40135764CF65C9E4E
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\80A9.tmp

Filesize
7.0MB

MD5
773b1612916137f345838844111d0c5c

SHA1
891e01f9692413e0b17d2d33318243a7fcde918a

SHA256
49ad0bc34628d3fa81b3747d16701fe3c7f5a3b5eec6c8fa4f545adb16353857

SHA512
ebe954c7949e856d1710e9e90194058cbe67f3a1d6e235c97f16d4673ba452ae82d92bdf7afe7cb443233353aa033ad32ab237e9a4c73bc240db241baf5cc864

Download Submit
memory/968-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/4524-5-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download