9d0a097fd9f17f7707d35f358ec77650dac7c5eabdbb81bd3a310f1b4c44b637

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d0a097fd9f17f7707d35f358ec77650dac7c5eabdbb81bd3a310f1b4c44b637.exe
Size

1.9MB
MD5

8933d513c4537fa6225a66c16c802583
SHA1

8edad7f1fcbebd5dbea4e646bcb0672e367b9728
SHA256

9d0a097fd9f17f7707d35f358ec77650dac7c5eabdbb81bd3a310f1b4c44b637
SHA512

66db7acb5a0a27d5071164ffae27971e3d68f404fc77a89bf4391d1dc1ae9923c6bdb51b08340a41c72cf788f2b16e2044e571cc18b85023674e16bab31df99a
SSDEEP

49152:Qoa1taC070daU/ZwwR5Zf1HtnoiASGhRQxEDMn:Qoa1taC0U/Z5511KZPQKDo

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

A209.tmp

pid process

3028 A209.tmp
Executes dropped EXE 1 IoCs

Processes:

A209.tmp

pid process

3028 A209.tmp
Loads dropped DLL 1 IoCs

Processes:

9d0a097fd9f17f7707d35f358ec77650dac7c5eabdbb81bd3a310f1b4c44b637.exe

pid process

2896 9d0a097fd9f17f7707d35f358ec77650dac7c5eabdbb81bd3a310f1b4c44b637.exe

pid	process
3028	A209.tmp

pid	process
3028	A209.tmp

pid	process
2896	9d0a097fd9f17f7707d35f358ec77650dac7c5eabdbb81bd3a310f1b4c44b637.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9d0a097fd9f17f7707d35f358ec77650dac7c5eabdbb81bd3a310f1b4c44b637.exeA209.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9d0a097fd9f17f7707d35f358ec77650dac7c5eabdbb81bd3a310f1b4c44b637.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A209.tmp

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

9d0a097fd9f17f7707d35f358ec77650dac7c5eabdbb81bd3a310f1b4c44b637.exe

description	pid	process	target process
PID 2896 wrote to memory of 3028	2896	9d0a097fd9f17f7707d35f358ec77650dac7c5eabdbb81bd3a310f1b4c44b637.exe	A209.tmp
PID 2896 wrote to memory of 3028	2896	9d0a097fd9f17f7707d35f358ec77650dac7c5eabdbb81bd3a310f1b4c44b637.exe	A209.tmp
PID 2896 wrote to memory of 3028	2896	9d0a097fd9f17f7707d35f358ec77650dac7c5eabdbb81bd3a310f1b4c44b637.exe	A209.tmp
PID 2896 wrote to memory of 3028	2896	9d0a097fd9f17f7707d35f358ec77650dac7c5eabdbb81bd3a310f1b4c44b637.exe	A209.tmp

C:\Users\Admin\AppData\Local\Temp\9d0a097fd9f17f7707d35f358ec77650dac7c5eabdbb81bd3a310f1b4c44b637.exe
"C:\Users\Admin\AppData\Local\Temp\9d0a097fd9f17f7707d35f358ec77650dac7c5eabdbb81bd3a310f1b4c44b637.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\A209.tmp
  "C:\Users\Admin\AppData\Local\Temp\A209.tmp" --splashC:\Users\Admin\AppData\Local\Temp\9d0a097fd9f17f7707d35f358ec77650dac7c5eabdbb81bd3a310f1b4c44b637.exe 31692A75C5810F6164B6C470CE39B602F58432098616B9ABCE96828CBE9966C8938646234194420B54D483F9968535F561BEE04CDF5F17D9A788ACC77AE75B95
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\A209.tmp

Filesize
1.9MB

MD5
f32374296eafef94fe3090423bee0f5f

SHA1
43ae12009ec8a134e17eb116d7b5d9c2133b0195

SHA256
514c9075b4ab4179830a2bb4c231bd31d59c87371b60c0d17690f50ac821aa04

SHA512
11c058feda8af78df03347707f2f286932aa36c9de456508dcc8ac11af4f4ab5c44d86ea9bf9d7ea4b00156bf01dbce3c324c404392daed6875ecd27e711d5f3

Download Submit
memory/2896-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/3028-6-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download