6b36cb03cd91803a192f8d3f1caff4f5ee3ae77f47cc372604296902cca372af

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 16:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6b36cb03cd91803a192f8d3f1caff4f5ee3ae77f47cc372604296902cca372afN.exe
Size

4.4MB
MD5

7b647ab55f99ff35e7df6b8c8df95b30
SHA1

681c9950262b003477be0acd7a49469200d95e82
SHA256

6b36cb03cd91803a192f8d3f1caff4f5ee3ae77f47cc372604296902cca372af
SHA512

aecedbb01b8d07042e1670b814b31b3eb5d5ec1b07004ac9c8e70b3e12386992fafaad1bd89929bcad792df37da4754e2df71f493864559a534090356630fe23
SSDEEP

49152:Svm2AC0d1XqrdryeJVaWBuVd5v8OOn9x0VjyJxmO4lwLVT5dVXeQqZUhh4r5VC9j:emhd1UryepgspAVm/RV7wQqZUha5jtSn

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2888	4808.tmp

Executes dropped EXE 1 IoCs

pid	Process
2888	4808.tmp

Loads dropped DLL 2 IoCs

pid	Process
2760	6b36cb03cd91803a192f8d3f1caff4f5ee3ae77f47cc372604296902cca372afN.exe
2760	6b36cb03cd91803a192f8d3f1caff4f5ee3ae77f47cc372604296902cca372afN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b36cb03cd91803a192f8d3f1caff4f5ee3ae77f47cc372604296902cca372afN.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2888	2760	6b36cb03cd91803a192f8d3f1caff4f5ee3ae77f47cc372604296902cca372afN.exe	30
PID 2760 wrote to memory of 2888	2760	6b36cb03cd91803a192f8d3f1caff4f5ee3ae77f47cc372604296902cca372afN.exe	30
PID 2760 wrote to memory of 2888	2760	6b36cb03cd91803a192f8d3f1caff4f5ee3ae77f47cc372604296902cca372afN.exe	30
PID 2760 wrote to memory of 2888	2760	6b36cb03cd91803a192f8d3f1caff4f5ee3ae77f47cc372604296902cca372afN.exe	30

C:\Users\Admin\AppData\Local\Temp\6b36cb03cd91803a192f8d3f1caff4f5ee3ae77f47cc372604296902cca372afN.exe
"C:\Users\Admin\AppData\Local\Temp\6b36cb03cd91803a192f8d3f1caff4f5ee3ae77f47cc372604296902cca372afN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\4808.tmp
  "C:\Users\Admin\AppData\Local\Temp\4808.tmp" --splashC:\Users\Admin\AppData\Local\Temp\6b36cb03cd91803a192f8d3f1caff4f5ee3ae77f47cc372604296902cca372afN.exe AC736133479EB6B3812D8A6F392B985B6F17CC5717B3E1E678BE131CC47B649C5610CA4BEDD93380EB39E58C9203CCAC50449D68461FDE4390E1CCA29613B087
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\4808.tmp

Filesize
4.4MB

MD5
0f8e29818091d9c4cb2bf9333f003354

SHA1
b6608383de462b9358d726c9a51d76cf9116ce55

SHA256
9a0e97c950f83c1a6b930793542be7d10f81812c5813ec3391e155ff2bad3f27

SHA512
689c73c9d5b1f1ecea93ef5727f5db5ef3c837105b69b2bcdc05ae311e295283cbdf80a091fdf7567b8295883f9b9ea9ed5814102efa09647a0f37ca242fbaa7

Download Submit
memory/2760-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/2888-9-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download