b56dbec4b6920f3e41b4fc3832318175048aacc7c838f58328761ada32e18c34

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b56dbec4b6920f3e41b4fc3832318175048aacc7c838f58328761ada32e18c34.exe
Size

29KB
MD5

7fa66dad9944fa7601d2a52c0783d515
SHA1

a963f1b0150b4bd7614f0970e575ec9016e5cc15
SHA256

b56dbec4b6920f3e41b4fc3832318175048aacc7c838f58328761ada32e18c34
SHA512

fda6d75048b4450944c05a824ca7bb9c70c21a359e0d4f1b9f48104596cc4223bfa5db81556dc3911e4418f8895a21231cc742f752d101a636d9e3997d5404f0
SSDEEP

384:IMAP4wZ6khYJRKiC0bz94calJJjjjCRAAAAA2GESbns6wQQjsMHXrVPeS:IM0ZiLCWwJjjZLnz6rcS

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2688	defupdater.exe

Loads dropped DLL 1 IoCs

pid	Process
2328	b56dbec4b6920f3e41b4fc3832318175048aacc7c838f58328761ada32e18c34.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b56dbec4b6920f3e41b4fc3832318175048aacc7c838f58328761ada32e18c34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	defupdater.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2688	2328	b56dbec4b6920f3e41b4fc3832318175048aacc7c838f58328761ada32e18c34.exe	30
PID 2328 wrote to memory of 2688	2328	b56dbec4b6920f3e41b4fc3832318175048aacc7c838f58328761ada32e18c34.exe	30
PID 2328 wrote to memory of 2688	2328	b56dbec4b6920f3e41b4fc3832318175048aacc7c838f58328761ada32e18c34.exe	30
PID 2328 wrote to memory of 2688	2328	b56dbec4b6920f3e41b4fc3832318175048aacc7c838f58328761ada32e18c34.exe	30
PID 2328 wrote to memory of 2688	2328	b56dbec4b6920f3e41b4fc3832318175048aacc7c838f58328761ada32e18c34.exe	30
PID 2328 wrote to memory of 2688	2328	b56dbec4b6920f3e41b4fc3832318175048aacc7c838f58328761ada32e18c34.exe	30
PID 2328 wrote to memory of 2688	2328	b56dbec4b6920f3e41b4fc3832318175048aacc7c838f58328761ada32e18c34.exe	30

C:\Users\Admin\AppData\Local\Temp\b56dbec4b6920f3e41b4fc3832318175048aacc7c838f58328761ada32e18c34.exe
"C:\Users\Admin\AppData\Local\Temp\b56dbec4b6920f3e41b4fc3832318175048aacc7c838f58328761ada32e18c34.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\defupdater.exe
  "C:\Users\Admin\AppData\Local\Temp\defupdater.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\defupdater.exe

Filesize
29KB

MD5
8d44a3b52cd64a8f07c7e6ae9028a459

SHA1
ac2c4e41e9771cef56c292a5b27195b2b836df54

SHA256
3775d3a6d487f75491456475cbe204011cbc512c1d1b93a1ede27ef93cefdf38

SHA512
77aa52f77281a5d79b255be1448d9327056cab9bd372a808b0be0214a46102be484555b15a974edd28585e203b146f1185d953b77b86954f56fa443396ad57c0

Download Submit
memory/2328-1-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2688-8-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download