7db34a909fb6f215c64af5a037a3b417aaf4c644d768c12eda8863674de37ab9

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7db34a909fb6f215c64af5a037a3b417aaf4c644d768c12eda8863674de37ab9.exe
Size

1.9MB
MD5

7d5ae8a667b50daa4f945076c39bdf40
SHA1

8bba65449c6eb5865546790dd286fbb9ae6b1f8d
SHA256

7db34a909fb6f215c64af5a037a3b417aaf4c644d768c12eda8863674de37ab9
SHA512

72bc87a5511163e60ea916b19e118a0b57014f802d80e00f2ac8b596617f97bd5b032ca2ca77fe52d238358a32bd603f9dc34e661c6049c07ed53cebdc54d8dd
SSDEEP

24576:N2oo60HPdt+1CRiY2eOBvcj3u10dGCN4c7jPdJ6nolck7q/bNdGQB6jwhkpmH+e:Qoa1taC070dfNL7DunolBiJddiw+He

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4588	BD45.tmp

Executes dropped EXE 1 IoCs

pid	Process
4588	BD45.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7db34a909fb6f215c64af5a037a3b417aaf4c644d768c12eda8863674de37ab9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BD45.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 4588	2376	7db34a909fb6f215c64af5a037a3b417aaf4c644d768c12eda8863674de37ab9.exe	82
PID 2376 wrote to memory of 4588	2376	7db34a909fb6f215c64af5a037a3b417aaf4c644d768c12eda8863674de37ab9.exe	82
PID 2376 wrote to memory of 4588	2376	7db34a909fb6f215c64af5a037a3b417aaf4c644d768c12eda8863674de37ab9.exe	82

C:\Users\Admin\AppData\Local\Temp\7db34a909fb6f215c64af5a037a3b417aaf4c644d768c12eda8863674de37ab9.exe
"C:\Users\Admin\AppData\Local\Temp\7db34a909fb6f215c64af5a037a3b417aaf4c644d768c12eda8863674de37ab9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\BD45.tmp
  "C:\Users\Admin\AppData\Local\Temp\BD45.tmp" --splashC:\Users\Admin\AppData\Local\Temp\7db34a909fb6f215c64af5a037a3b417aaf4c644d768c12eda8863674de37ab9.exe 95B4D78BE14B5E17C132B3E57F2F6D4698CDBE1F0B36960160EB1131866EDDB9330F64CDA3C14163A7F7D669F59F05C3E0714CF34FF734F1D56EEB97DB9E9AA9
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BD45.tmp

Filesize
1.9MB

MD5
3d3fa4d3a75db5cb54f599922c11f16f

SHA1
361aea9798572bab402462b683fcaaacc2728198

SHA256
6cc4b42ee2ceeee697b8ded41182f6f83a5e3c9447b4b3bb7b306fb4f38c9fbb

SHA512
d31564fe9eb8f3accf940b9e00f9d9c24ce3780fe3251caee22686166615f94ab464e70710f9cd5a255041a96f31cc4284e35df687dc2813b7430634192ce364

Download Submit
memory/2376-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/4588-5-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download