afb8e6d3761c08b933b7c516abeb53f46401c714f86847b103c486bd180f4522

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-10-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afb8e6d3761c08b933b7c516abeb53f46401c714f86847b103c486bd180f4522N.exe
Size

6.6MB
MD5

5a331d6fca0a55ac3437468937d07860
SHA1

b87107e084577e90e5321126ca89fef30ff8da2b
SHA256

afb8e6d3761c08b933b7c516abeb53f46401c714f86847b103c486bd180f4522
SHA512

ed57827723ba18f50ff3810f9d9bdf9ae7635c1e544ef2f6d6fc2337387af718ceb58043eabb50753784fde483ba4207f62e0dfc2e82707f122cf588f7a9532c
SSDEEP

98304:emhd1UryenoQ8UKqXksc8CczYV7wQqZUha5jtSyZIUb+:elHadCCn2QbaZtlit

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2368	CD3E.tmp

Executes dropped EXE 1 IoCs

pid	Process
2368	CD3E.tmp

Loads dropped DLL 2 IoCs

pid	Process
2528	afb8e6d3761c08b933b7c516abeb53f46401c714f86847b103c486bd180f4522N.exe
2528	afb8e6d3761c08b933b7c516abeb53f46401c714f86847b103c486bd180f4522N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afb8e6d3761c08b933b7c516abeb53f46401c714f86847b103c486bd180f4522N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2368	2528	afb8e6d3761c08b933b7c516abeb53f46401c714f86847b103c486bd180f4522N.exe	31
PID 2528 wrote to memory of 2368	2528	afb8e6d3761c08b933b7c516abeb53f46401c714f86847b103c486bd180f4522N.exe	31
PID 2528 wrote to memory of 2368	2528	afb8e6d3761c08b933b7c516abeb53f46401c714f86847b103c486bd180f4522N.exe	31
PID 2528 wrote to memory of 2368	2528	afb8e6d3761c08b933b7c516abeb53f46401c714f86847b103c486bd180f4522N.exe	31

C:\Users\Admin\AppData\Local\Temp\afb8e6d3761c08b933b7c516abeb53f46401c714f86847b103c486bd180f4522N.exe
"C:\Users\Admin\AppData\Local\Temp\afb8e6d3761c08b933b7c516abeb53f46401c714f86847b103c486bd180f4522N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\CD3E.tmp
  "C:\Users\Admin\AppData\Local\Temp\CD3E.tmp" --splashC:\Users\Admin\AppData\Local\Temp\afb8e6d3761c08b933b7c516abeb53f46401c714f86847b103c486bd180f4522N.exe 3895BE7D1EACA17E79A8867B7A8A570DC5123E874CB3D19FC0B4B685D1B9ABC0EAB0DBFBD0367A6B2F5F7B6C2CB63A728E8D6D117EA886CBDA3004EBCC38CC2D
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CD3E.tmp

Filesize
6.6MB

MD5
2650b12d06da056e6086cbaa0eec54cb

SHA1
8d6566fbd46210dcf1d190943f3f2678a6a10680

SHA256
dc125fa28d9cadff23790a427a40fcfcac3c22480c602b4302553423bc5ec94b

SHA512
a2f544a7a3a5c03e4fbcca38c1911ee773ee43825a5115cf5ab63827314a30e99775cd609f2836eac0d8338cf5623f351f9b9d006fd2299da00ec74971008b1c

Download Submit
memory/2368-9-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/2528-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download