65e8bf4d364b451c9608e7491b2dc6b81794ffd8d5143281866d6458a802dc36

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65e8bf4d364b451c9608e7491b2dc6b81794ffd8d5143281866d6458a802dc36.exe
Size

1.9MB
MD5

956f30962717dbadb4e8e157dfb4d9de
SHA1

f076c65f76ec95d650cb26988bac6c705d1d946d
SHA256

65e8bf4d364b451c9608e7491b2dc6b81794ffd8d5143281866d6458a802dc36
SHA512

23ec758614c2ebeec0caede2bbfc1464b26a25c26e9c32f1f7cb1ce11d8b4a6a5c9e721bad83d667767fdf87cd1b78fb89e1e55b2842c1d532a9d221fc2dfcaf
SSDEEP

49152:Qoa1taC070dEw14uTVIonXOeqBNmUVANIma5FjVPx6:Qoa1taC0hwRIo5uNm2ANITFpZ6

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2160	E521.tmp

Executes dropped EXE 1 IoCs

pid	Process
2160	E521.tmp

Loads dropped DLL 1 IoCs

pid	Process
1780	65e8bf4d364b451c9608e7491b2dc6b81794ffd8d5143281866d6458a802dc36.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65e8bf4d364b451c9608e7491b2dc6b81794ffd8d5143281866d6458a802dc36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E521.tmp

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2160	1780	65e8bf4d364b451c9608e7491b2dc6b81794ffd8d5143281866d6458a802dc36.exe	31
PID 1780 wrote to memory of 2160	1780	65e8bf4d364b451c9608e7491b2dc6b81794ffd8d5143281866d6458a802dc36.exe	31
PID 1780 wrote to memory of 2160	1780	65e8bf4d364b451c9608e7491b2dc6b81794ffd8d5143281866d6458a802dc36.exe	31
PID 1780 wrote to memory of 2160	1780	65e8bf4d364b451c9608e7491b2dc6b81794ffd8d5143281866d6458a802dc36.exe	31

C:\Users\Admin\AppData\Local\Temp\65e8bf4d364b451c9608e7491b2dc6b81794ffd8d5143281866d6458a802dc36.exe
"C:\Users\Admin\AppData\Local\Temp\65e8bf4d364b451c9608e7491b2dc6b81794ffd8d5143281866d6458a802dc36.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\E521.tmp
  "C:\Users\Admin\AppData\Local\Temp\E521.tmp" --splashC:\Users\Admin\AppData\Local\Temp\65e8bf4d364b451c9608e7491b2dc6b81794ffd8d5143281866d6458a802dc36.exe A9288332F7B90CE7E78BD7131809B4206496E5CE542A15BDCB5A7FBC370C38CFBDFAE848F0DE353F74A93DD38EEE43477225C3CB3F23C3954F31DA85A9898D7A
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\E521.tmp

Filesize
1.9MB

MD5
c08c8ee3495d67add24207d29b4bc719

SHA1
68f746120ba999063c26c5b55842682cb52c2cb1

SHA256
639a7fa183ceafdcad7f5cf9dcf153fc669594f79939baa109d5b19e9d1bdfad

SHA512
48857b7d5fcc0503a6906752ecde3901d4f005e19bd803865b4d0801812a85fb9b9bdb7f92d8855f76bccd7a42f408b02153ffa397557243141dd374f66f247e

Download Submit
memory/1780-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/2160-6-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download