7767fc754264b3353ff4080310a9c5dd540fff2d52287de0a68d93b47f7fee02

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7767fc754264b3353ff4080310a9c5dd540fff2d52287de0a68d93b47f7fee02N.exe
Size

7.6MB
MD5

e9361b39ee8e422ea6d423fa66bc4240
SHA1

d434bbc3c2fa54131ebd3c78a3d83ca948a44124
SHA256

7767fc754264b3353ff4080310a9c5dd540fff2d52287de0a68d93b47f7fee02
SHA512

a98ef336c8378046a8bf8ec1700f8664d90315f7e898f1b08837592637a2798339ee5f0670f646ea6bb69e28976e224f5ad36820c1386109ce31fb6f9752188b
SSDEEP

98304:emhd1UryeF5K3F9PkwX9q0iV7wQqZUha5jtSyZIUbj:ell5CHXpi2QbaZtliW

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1896	6A53.tmp

Executes dropped EXE 1 IoCs

pid	Process
1896	6A53.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7767fc754264b3353ff4080310a9c5dd540fff2d52287de0a68d93b47f7fee02N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6A53.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1896	1996	7767fc754264b3353ff4080310a9c5dd540fff2d52287de0a68d93b47f7fee02N.exe	86
PID 1996 wrote to memory of 1896	1996	7767fc754264b3353ff4080310a9c5dd540fff2d52287de0a68d93b47f7fee02N.exe	86
PID 1996 wrote to memory of 1896	1996	7767fc754264b3353ff4080310a9c5dd540fff2d52287de0a68d93b47f7fee02N.exe	86

C:\Users\Admin\AppData\Local\Temp\7767fc754264b3353ff4080310a9c5dd540fff2d52287de0a68d93b47f7fee02N.exe
"C:\Users\Admin\AppData\Local\Temp\7767fc754264b3353ff4080310a9c5dd540fff2d52287de0a68d93b47f7fee02N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\6A53.tmp
  "C:\Users\Admin\AppData\Local\Temp\6A53.tmp" --splashC:\Users\Admin\AppData\Local\Temp\7767fc754264b3353ff4080310a9c5dd540fff2d52287de0a68d93b47f7fee02N.exe DAA736FFB4AF0210EFA00B5B2A437BFE82395AE62A65A0BB3B5040AA909F99C1568793DC6D01CDFD1A3B6B9A1ADEC31D456CD5AA512C96AEAF06AAC2C0A609D9
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6A53.tmp

Filesize
7.6MB

MD5
07149cfa92e623f3c34a4035b5f458f2

SHA1
da8c1ead93fde45570f263e9d4d9181c184d69f6

SHA256
0837be7560de5224db4987b1cc839555c1d0f16ed93e7023300e0d7c0c9d00c5

SHA512
c0cb706aef8ac4ac88881f60bc00eee4d8261f5eae9cdde8df95a1ea1c203042cc2b1b31676b7a80766ca0157cfd5593c65bf0f7e52bc5d0c4e84e8a1777e730

Download Submit
memory/1896-5-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/1996-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download