8304d3d0a4d0c88c926058868ef83cd3318a080d3384c461052cfd10db075839

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/10/2024, 01:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8304d3d0a4d0c88c926058868ef83cd3318a080d3384c461052cfd10db075839.exe
Size

6.0MB
MD5

9e43207ca8d62d3a3b294b8cea88ef59
SHA1

7564e5584ef5bbd7b135988278bb49690d1a45a5
SHA256

8304d3d0a4d0c88c926058868ef83cd3318a080d3384c461052cfd10db075839
SHA512

42752f26367a3ed1835cc93faebb157e01ced3a55b39c122bab10b22ae3544134dfe1ad03eeb51ab82a8c63aac3147c15af94e128758bcc6d4164f3a77672209
SSDEEP

98304:emhd1UryepOI4aDXayTopkhKat9V7wQqZUha5jtSyZIUS:elJOJaDqy0pkh1n2QbaZtlir

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2312	870B.tmp

Executes dropped EXE 1 IoCs

pid	Process
2312	870B.tmp

Loads dropped DLL 2 IoCs

pid	Process
1984	8304d3d0a4d0c88c926058868ef83cd3318a080d3384c461052cfd10db075839.exe
1984	8304d3d0a4d0c88c926058868ef83cd3318a080d3384c461052cfd10db075839.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8304d3d0a4d0c88c926058868ef83cd3318a080d3384c461052cfd10db075839.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2312	1984	8304d3d0a4d0c88c926058868ef83cd3318a080d3384c461052cfd10db075839.exe	30
PID 1984 wrote to memory of 2312	1984	8304d3d0a4d0c88c926058868ef83cd3318a080d3384c461052cfd10db075839.exe	30
PID 1984 wrote to memory of 2312	1984	8304d3d0a4d0c88c926058868ef83cd3318a080d3384c461052cfd10db075839.exe	30
PID 1984 wrote to memory of 2312	1984	8304d3d0a4d0c88c926058868ef83cd3318a080d3384c461052cfd10db075839.exe	30

C:\Users\Admin\AppData\Local\Temp\8304d3d0a4d0c88c926058868ef83cd3318a080d3384c461052cfd10db075839.exe
"C:\Users\Admin\AppData\Local\Temp\8304d3d0a4d0c88c926058868ef83cd3318a080d3384c461052cfd10db075839.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\870B.tmp
  "C:\Users\Admin\AppData\Local\Temp\870B.tmp" --splashC:\Users\Admin\AppData\Local\Temp\8304d3d0a4d0c88c926058868ef83cd3318a080d3384c461052cfd10db075839.exe 2AD8471C8D8F2C4A79E41F6F005E9DA70A79B5A265EF0FFD1D406B592B0E36F0D62505DD1815CD09F5CE5B481CFA3A34A338EDB53D04321C194D11EA914E564C
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\870B.tmp

Filesize
6.0MB

MD5
600525bc5eba74add065288abfdd64f4

SHA1
c3df176fd2385bd4e245e7e5beda98fdefe3f07a

SHA256
46fd7033475249ef4a6006b30ed1dbaa27a0609e048ae6436e853a4d6d2c1cd7

SHA512
8b1c9d9be9351735688ed41296cfe16a20be14c15de62a1de62182c68581582b0fbc4d493f82eda1b405bc1f15a4b3d14933daf0d5e80cd7ac37f7977aa0021f

Download Submit
memory/1984-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/2312-9-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download