b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9.exe
Size

1.9MB
MD5

c9b42da49e0d53790d6a8bd3dd488a36
SHA1

42ee38e93722907df8734d5158d16062d4266711
SHA256

b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9
SHA512

8efb9c5a49a95e5698ce554f32b6a5bd5dc86ebbcde1fef6d946bbbddf68d424cd52e12f56f94550868735ea1689c69521740debe0e207d931feb839960fb2ce
SSDEEP

49152:Qoa1taC070dzos0F6NE0tTw1MuJWH+z1c6uemksma4Fo:Qoa1taC0Jr67TfuJIkc6tOh

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

A6CA.tmp

pid process

1444 A6CA.tmp
Executes dropped EXE 1 IoCs

Processes:

A6CA.tmp

pid process

1444 A6CA.tmp
Loads dropped DLL 1 IoCs

Processes:

b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9.exe

pid process

2624 b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9.exe

pid	process
1444	A6CA.tmp

pid	process
1444	A6CA.tmp

pid	process
2624	b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9.exeA6CA.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A6CA.tmp

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9.exe

description	pid	process	target process
PID 2624 wrote to memory of 1444	2624	b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9.exe	A6CA.tmp
PID 2624 wrote to memory of 1444	2624	b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9.exe	A6CA.tmp
PID 2624 wrote to memory of 1444	2624	b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9.exe	A6CA.tmp
PID 2624 wrote to memory of 1444	2624	b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9.exe	A6CA.tmp

C:\Users\Admin\AppData\Local\Temp\b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9.exe
"C:\Users\Admin\AppData\Local\Temp\b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Users\Admin\AppData\Local\Temp\A6CA.tmp
  "C:\Users\Admin\AppData\Local\Temp\A6CA.tmp" --splashC:\Users\Admin\AppData\Local\Temp\b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9.exe 8ABE9FC17C4B94095AA05D2F82ACDBB23CF841035D7C17C0DB4406C314A2A1E9C4262D6F17C171A5FFB74AA37BE8A0A36AB65F07C0235E28A71F4979F12C7E8A
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\A6CA.tmp

Filesize
1.9MB

MD5
89502ebf9b493896ea10b55efafd4b6c

SHA1
de7bbae4ae7130b82ef4d5a3126a0fc2b83d1d32

SHA256
e9856aaa1d15e28b63a735fc5a5bc131cd74ad4b12570557b630dca9e89f65de

SHA512
9a91582feaa6cf017c64e1aa1702f322f6c54aa88938eb97b1155d60d7c426692cdb8dd41cfe90a169334d9b531c2e7aa8b90944348d5652fb8878f7ecc1e2b3

Download Submit
memory/1444-6-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/2624-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download