27ab073ab876ffe8be6180996e6b457b5b4053ea2173233f381c768169d91957

Analysis

max time kernel
15s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27ab073ab876ffe8be6180996e6b457b5b4053ea2173233f381c768169d91957.exe
Size

1.9MB
MD5

73fc49f6dda39eb13ccc9b2c2487dcbb
SHA1

a441ac52f5b4579ee9f0003bf1b02ef432bdcac0
SHA256

27ab073ab876ffe8be6180996e6b457b5b4053ea2173233f381c768169d91957
SHA512

c3d7a6265bceace5606eccac81a2869f2fac1b186a725c25291b24ac62c0d3183ad353b2cc79a80431731e90236de64f374a006318087792b148fcadbd57d210
SSDEEP

49152:Qoa1taC070dxrv5Vrnct5IHZqYDOvQvxG/GFc:Qoa1taC0oz5VQt5I5ZDOIvx3C

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2320	75DB.tmp

Executes dropped EXE 1 IoCs

pid	Process
2320	75DB.tmp

Loads dropped DLL 1 IoCs

pid	Process
2580	27ab073ab876ffe8be6180996e6b457b5b4053ea2173233f381c768169d91957.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27ab073ab876ffe8be6180996e6b457b5b4053ea2173233f381c768169d91957.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75DB.tmp

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2320	2580	27ab073ab876ffe8be6180996e6b457b5b4053ea2173233f381c768169d91957.exe	29
PID 2580 wrote to memory of 2320	2580	27ab073ab876ffe8be6180996e6b457b5b4053ea2173233f381c768169d91957.exe	29
PID 2580 wrote to memory of 2320	2580	27ab073ab876ffe8be6180996e6b457b5b4053ea2173233f381c768169d91957.exe	29
PID 2580 wrote to memory of 2320	2580	27ab073ab876ffe8be6180996e6b457b5b4053ea2173233f381c768169d91957.exe	29

C:\Users\Admin\AppData\Local\Temp\27ab073ab876ffe8be6180996e6b457b5b4053ea2173233f381c768169d91957.exe
"C:\Users\Admin\AppData\Local\Temp\27ab073ab876ffe8be6180996e6b457b5b4053ea2173233f381c768169d91957.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Local\Temp\75DB.tmp
  "C:\Users\Admin\AppData\Local\Temp\75DB.tmp" --splashC:\Users\Admin\AppData\Local\Temp\27ab073ab876ffe8be6180996e6b457b5b4053ea2173233f381c768169d91957.exe 855E0F6280E3453E6D2FFE9F9F206774368C31A0A79F0EDD6B0A37E5C6B7B24F8D08AFDEEFD03AED5FD4A0D1BBF4FC8672D7144D25A5D4EC6C8805654AFEB124
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\75DB.tmp

Filesize
1.9MB

MD5
98367a1165d66912391f7f89d2a2e97c

SHA1
5ffa9a99b58b5ddc488a0b26d84a137392809f9f

SHA256
dea4a43d982ba113429f08ba3fc66294e343d08daad4c8c59d47ec1cfcfc2127

SHA512
7dda186a20623dc2b6694b0db7ca0bc6f193c3a5cc915bec2d0a97e843c8a8eade554f5782e8f3d62bfa6394a6e8c33692ec5230a356dd4e70dfe48f2ddf11ce

Download Submit
memory/2320-6-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/2580-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download