Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 21:35
Static task
static1
Behavioral task
behavioral1
Sample
2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe
Resource
win10v2004-20241007-en
General
-
Target
2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe
-
Size
4.2MB
-
MD5
96a45c287c3ffb6ae85db562f90c9a00
-
SHA1
74160e4e7ee8185ff8b9ce3b5a1e1d1d309ab730
-
SHA256
2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1
-
SHA512
1bafdb06852abe2e06cc92a56d4392e0aa8214c2487b738c361b2451f1e7e63903126f82395bc887be5a22b3881680963a829b6e595d1d40ed25b486f245fc10
-
SSDEEP
98304:Cmhd1Urye2T0EgDyKRMSVLUjH5oxFbxhVLUjH5oxFbx:Clg03oSVUjZEdhVUjZEd
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2004 8759.tmp -
Executes dropped EXE 1 IoCs
pid Process 2004 8759.tmp -
Loads dropped DLL 2 IoCs
pid Process 2124 2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe 2124 2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2004 2124 2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe 28 PID 2124 wrote to memory of 2004 2124 2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe 28 PID 2124 wrote to memory of 2004 2124 2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe 28 PID 2124 wrote to memory of 2004 2124 2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe"C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\8759.tmp"C:\Users\Admin\AppData\Local\Temp\8759.tmp" --splashC:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe B2FDF4A9BC336CF73A5A9740013E82DE7A064F4726EE0DECFC463CA2B59F5D60AB86CE0282123F30FEDD32402F715BEB6E5D40635000D1127A7BAD22795D65452⤵
- Deletes itself
- Executes dropped EXE
PID:2004
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD54a361c2133e7d08b7d9f50fba3807206
SHA1b112f40e37606350d1147c8cf5eab0cfb45ff807
SHA2566102479a7f626ac32b1c7537f1b2ea074c3b0a9e6de6ee08a1d3a6bc873bece1
SHA512ce8281680e5715e469b782f16179daccdf6b1685921492a5b4e34636c1cfe44cf5510949d760931cb874b9e38edb324c020822e829dd5aa08b10df39df23d742