fbfe50e10c2dac74a5a09bf7760822f9f332a751a2266ec2a044b468078431a8

Analysis

max time kernel
19s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbfe50e10c2dac74a5a09bf7760822f9f332a751a2266ec2a044b468078431a8.exe
Size

1.0MB
MD5

84c790199dc83e16886bd81bd49e7178
SHA1

58bdd4bc3a01a38dc2787d19d43daace5916c75a
SHA256

fbfe50e10c2dac74a5a09bf7760822f9f332a751a2266ec2a044b468078431a8
SHA512

c5369de72b48214533a3bfe1689195f3df8def38a0065cf9a4e6eee0523abec123022996f78a40a17debe9733d31e8ec30ddc48fda6204043d04fbff8dc1c359
SSDEEP

24576:dgdhhQGGnnazLpj4VHogiuGPYm51skpiOrE5JoY0:dqgazxcGPp51skUcEroY0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ouekowqvgmyfwc.exe

pid process

316 ouekowqvgmyfwc.exe
Loads dropped DLL 1 IoCs

Processes:

fbfe50e10c2dac74a5a09bf7760822f9f332a751a2266ec2a044b468078431a8.exe

pid process

1608 fbfe50e10c2dac74a5a09bf7760822f9f332a751a2266ec2a044b468078431a8.exe

pid	process
316	ouekowqvgmyfwc.exe

pid	process
1608	fbfe50e10c2dac74a5a09bf7760822f9f332a751a2266ec2a044b468078431a8.exe

Drops file in Program Files directory 1 IoCs

Processes:

fbfe50e10c2dac74a5a09bf7760822f9f332a751a2266ec2a044b468078431a8.exe

description	ioc	process
File created	C:\Program Files (x86)\ztayynnq\ouekowqvgmyfwc.exe	fbfe50e10c2dac74a5a09bf7760822f9f332a751a2266ec2a044b468078431a8.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

fbfe50e10c2dac74a5a09bf7760822f9f332a751a2266ec2a044b468078431a8.exeouekowqvgmyfwc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbfe50e10c2dac74a5a09bf7760822f9f332a751a2266ec2a044b468078431a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ouekowqvgmyfwc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

fbfe50e10c2dac74a5a09bf7760822f9f332a751a2266ec2a044b468078431a8.exe

description	pid	process	target process
PID 1608 wrote to memory of 316	1608	fbfe50e10c2dac74a5a09bf7760822f9f332a751a2266ec2a044b468078431a8.exe	ouekowqvgmyfwc.exe
PID 1608 wrote to memory of 316	1608	fbfe50e10c2dac74a5a09bf7760822f9f332a751a2266ec2a044b468078431a8.exe	ouekowqvgmyfwc.exe
PID 1608 wrote to memory of 316	1608	fbfe50e10c2dac74a5a09bf7760822f9f332a751a2266ec2a044b468078431a8.exe	ouekowqvgmyfwc.exe
PID 1608 wrote to memory of 316	1608	fbfe50e10c2dac74a5a09bf7760822f9f332a751a2266ec2a044b468078431a8.exe	ouekowqvgmyfwc.exe

C:\Users\Admin\AppData\Local\Temp\fbfe50e10c2dac74a5a09bf7760822f9f332a751a2266ec2a044b468078431a8.exe
"C:\Users\Admin\AppData\Local\Temp\fbfe50e10c2dac74a5a09bf7760822f9f332a751a2266ec2a044b468078431a8.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Program Files (x86)\ztayynnq\ouekowqvgmyfwc.exe
  "C:\Program Files (x86)\ztayynnq\ouekowqvgmyfwc.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\ztayynnq\ouekowqvgmyfwc.exe

Filesize
1.0MB

MD5
e393074709403659ed75bc418faa1c4d

SHA1
8f3f0a902aef49977efcfa2b69821d66d801fb3a

SHA256
e33049b42c15e32f521f8ecd9b8c448e2ac22dd1a01e597f28220bb9c87a7194

SHA512
5c27782aaedfc28cb5554cbe5248d75fd969d3d91b6a6d930afe91184e32163ab131905588f429ecee938c3fc465a79d017e654b1eb9088df3479131479c21e3

Download Submit
memory/316-6-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1608-5-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download