5561645dfcffd38eee2d426323ad15d69893229acc00c90009eb5b79f7dac6c8

Analysis

max time kernel
15s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 09:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5561645dfcffd38eee2d426323ad15d69893229acc00c90009eb5b79f7dac6c8N.exe
Size

7.8MB
MD5

b91cd5f8da294ce2a269fcb5a02c7c00
SHA1

01348c5ff93e377c26ba7e4ccb05704ecc45f9af
SHA256

5561645dfcffd38eee2d426323ad15d69893229acc00c90009eb5b79f7dac6c8
SHA512

b705742aa6f04ea995f6000af11956b073f5903fe73dfed721279bb58d14f8fa8f97abd85d1284809269ae04ebe75db19eeb054f55caf817ec0241455cdf61a0
SSDEEP

98304:emhd1UryegNpdWwHCRGV7wQqZUha5jtSyZIUb:elA7HL2QbaZtli

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2180	BD56.tmp

Executes dropped EXE 1 IoCs

pid	Process
2180	BD56.tmp

Loads dropped DLL 2 IoCs

pid	Process
764	5561645dfcffd38eee2d426323ad15d69893229acc00c90009eb5b79f7dac6c8N.exe
764	5561645dfcffd38eee2d426323ad15d69893229acc00c90009eb5b79f7dac6c8N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5561645dfcffd38eee2d426323ad15d69893229acc00c90009eb5b79f7dac6c8N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 2180	764	5561645dfcffd38eee2d426323ad15d69893229acc00c90009eb5b79f7dac6c8N.exe	30
PID 764 wrote to memory of 2180	764	5561645dfcffd38eee2d426323ad15d69893229acc00c90009eb5b79f7dac6c8N.exe	30
PID 764 wrote to memory of 2180	764	5561645dfcffd38eee2d426323ad15d69893229acc00c90009eb5b79f7dac6c8N.exe	30
PID 764 wrote to memory of 2180	764	5561645dfcffd38eee2d426323ad15d69893229acc00c90009eb5b79f7dac6c8N.exe	30

C:\Users\Admin\AppData\Local\Temp\5561645dfcffd38eee2d426323ad15d69893229acc00c90009eb5b79f7dac6c8N.exe
"C:\Users\Admin\AppData\Local\Temp\5561645dfcffd38eee2d426323ad15d69893229acc00c90009eb5b79f7dac6c8N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:764
- C:\Users\Admin\AppData\Local\Temp\BD56.tmp
  "C:\Users\Admin\AppData\Local\Temp\BD56.tmp" --splashC:\Users\Admin\AppData\Local\Temp\5561645dfcffd38eee2d426323ad15d69893229acc00c90009eb5b79f7dac6c8N.exe 833F20A24B504A90DF388C95BB007B2A9FAC8B3B506F7A1A8A23CB4DC7F8798AA07D907F4C4957AB94B16A048D7627BDBDC77BF07A638D01AF544BE4394B59C6
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BD56.tmp

Filesize
7.8MB

MD5
a87533f9ff8b0f937383b7863300e071

SHA1
f1275c231352e2cf81b929f0764259528de390a7

SHA256
e066fc1d25d6dfdcc685d0781c2d3abdbe1d4b0261132071d8ace70b1182978f

SHA512
a6c15ad987a32fe2517c021ccd4b909a81d44bd91194278f46b3a97dbcb473f036e1ba1a236c8063a65de9731c8b873f6b8b55b4dbf0c7f0187d8ad477be4506

Download Submit
memory/764-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/2180-9-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download