471f3fb1a953fab38be3081eb835574694bc72b94f239edc400d1ce3d7a8ecb0

Analysis

max time kernel
841s
max time network
842s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7E3903944EAB7B61B495572BAA60FB72.exe
Size

228KB
MD5

7e3903944eab7b61b495572baa60fb72
SHA1

116930517baab6bdb0829990a43af54d155f5332
SHA256

06e921abf28c4b260c59d61d84a74c3a5dc12ac99a34110ca5480ce61689385c
SHA512

0e29eaea245dd0068d44ff016c5da65396e5ad94aa79fcbe3cb187666b7b21890b22e2a13ac57e4bcfcf39436a7c5fa53a5470a8fae6de7215f297b82ea62ad5
SSDEEP

3072:RKR+u1vFeb+pknH46ZjbVxltW8wylYJiocMor+ROYJPR+9RbA8D79qiNFwEQ7:R4Z19dknH4yFhtocMO+kYlI9tdJmr

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2972 cmd.exe
Drops file in System32 directory 1 IoCs

Processes:

7E3903944EAB7B61B495572BAA60FB72.exe

description ioc process

File created C:\Windows\SysWOW64\ud.bat 7E3903944EAB7B61B495572BAA60FB72.exe

pid	process
2972	cmd.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ud.bat	7E3903944EAB7B61B495572BAA60FB72.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7E3903944EAB7B61B495572BAA60FB72.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7E3903944EAB7B61B495572BAA60FB72.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

7E3903944EAB7B61B495572BAA60FB72.exe

description	pid	process	target process
PID 2336 wrote to memory of 2972	2336	7E3903944EAB7B61B495572BAA60FB72.exe	cmd.exe
PID 2336 wrote to memory of 2972	2336	7E3903944EAB7B61B495572BAA60FB72.exe	cmd.exe
PID 2336 wrote to memory of 2972	2336	7E3903944EAB7B61B495572BAA60FB72.exe	cmd.exe
PID 2336 wrote to memory of 2972	2336	7E3903944EAB7B61B495572BAA60FB72.exe	cmd.exe
PID 2336 wrote to memory of 2972	2336	7E3903944EAB7B61B495572BAA60FB72.exe	cmd.exe
PID 2336 wrote to memory of 2972	2336	7E3903944EAB7B61B495572BAA60FB72.exe	cmd.exe
PID 2336 wrote to memory of 2972	2336	7E3903944EAB7B61B495572BAA60FB72.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7E3903944EAB7B61B495572BAA60FB72.exe
"C:\Users\Admin\AppData\Local\Temp\7E3903944EAB7B61B495572BAA60FB72.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\ud.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ud.bat

Filesize
308B

MD5
f82d22cad4fa6e6093f823ed1595445b

SHA1
3f24227171344252f3920a5bbd15ead16414a9c7

SHA256
84900b5468205dd98995e9bb78a8d99c9621f8557608aed9af56e30681f32b28

SHA512
124c7b12e78edb3f3d634f59440c4cfe5b5a73dcf748b84148995b64fbc49c078b2f1e08fd4f340d5d96271e76bddc678281cb6b3580692cbe0f9382a4a0bc86

Download Submit