ba06d84217f2b582b68ec6e20cf80b020e2b28608b6446ae96d0f7ab7f8e9168

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba06d84217f2b582b68ec6e20cf80b020e2b28608b6446ae96d0f7ab7f8e9168.exe
Size

1.2MB
MD5

e153e24281fb360eb3aa4e958bdcf4d6
SHA1

6e6f4719d07f7f63e66c0df786cf08ef2442ad79
SHA256

ba06d84217f2b582b68ec6e20cf80b020e2b28608b6446ae96d0f7ab7f8e9168
SHA512

63c1c737048d2c09e8cb32923d2aef31a0a20c8c809d7ace9280fdb4c5aa3fc511972237da9e7948dc255e6b164854c4a81631b0dc18e6467c228edf26acd373
SSDEEP

24576:qKeyxTAJj7P+yW6mc1YCwuv6ez8quGqYXOnfTjG3B49a9IK/T7RU:qKeyRA0y9fWCw28Men7jG3iAN/JU

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3048	ybyetkmhas.exe

Loads dropped DLL 1 IoCs

pid	Process
2976	ba06d84217f2b582b68ec6e20cf80b020e2b28608b6446ae96d0f7ab7f8e9168.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\mrtswzvn\ybyetkmhas.exe	ba06d84217f2b582b68ec6e20cf80b020e2b28608b6446ae96d0f7ab7f8e9168.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba06d84217f2b582b68ec6e20cf80b020e2b28608b6446ae96d0f7ab7f8e9168.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 3048	2976	ba06d84217f2b582b68ec6e20cf80b020e2b28608b6446ae96d0f7ab7f8e9168.exe	30
PID 2976 wrote to memory of 3048	2976	ba06d84217f2b582b68ec6e20cf80b020e2b28608b6446ae96d0f7ab7f8e9168.exe	30
PID 2976 wrote to memory of 3048	2976	ba06d84217f2b582b68ec6e20cf80b020e2b28608b6446ae96d0f7ab7f8e9168.exe	30
PID 2976 wrote to memory of 3048	2976	ba06d84217f2b582b68ec6e20cf80b020e2b28608b6446ae96d0f7ab7f8e9168.exe	30

C:\Users\Admin\AppData\Local\Temp\ba06d84217f2b582b68ec6e20cf80b020e2b28608b6446ae96d0f7ab7f8e9168.exe
"C:\Users\Admin\AppData\Local\Temp\ba06d84217f2b582b68ec6e20cf80b020e2b28608b6446ae96d0f7ab7f8e9168.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Program Files (x86)\mrtswzvn\ybyetkmhas.exe
  "C:\Program Files (x86)\mrtswzvn\ybyetkmhas.exe"
  2⤵
  - Executes dropped EXE
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\mrtswzvn\ybyetkmhas.exe

Filesize
1.2MB

MD5
6a8c03dd08f9b7cb42f7681a1c43d798

SHA1
0580098d0286927aa0d936a34bb917e98718d811

SHA256
f0ccde3d8ee6d786477b9d5462ca204febbfe92fdda184e7e5881e0d5a20a139

SHA512
deb234df10dfbdc9c56755c27422410cef048f795ca1519f18aaf1c4fc3acd4cc665dd06c138d45d940bcc1fa92e4dffe7c239c1efa5ca3926467d38691f56aa

Download Submit
memory/2976-0-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2976-1-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2976-8-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2976-5-0x0000000000340000-0x00000000003D4000-memory.dmp

Filesize
592KB

Download
memory/3048-9-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3048-10-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3048-11-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download