1b79a12ae5e9ed524d7a0da7e0a8d1978c89d1d44382279a7a28f64344363759

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b79a12ae5e9ed524d7a0da7e0a8d1978c89d1d44382279a7a28f64344363759N.exe
Size

55KB
MD5

60643aa50bfa5eb8efe1bfe940570610
SHA1

329ee0ace6bc2d57f92cd1a02913b856256fc600
SHA256

1b79a12ae5e9ed524d7a0da7e0a8d1978c89d1d44382279a7a28f64344363759
SHA512

e1810319dce585810bcc699181c80ca9772a9e0d81bdb0d4fa170811d97937b9c1ad9f42d0b544d9636ac0f02630fa223e3428a2f458d038985cea817aad4530
SSDEEP

384:cnwR2F5SMtoLIYi4aYiyYNHsbDAez7Nu6NMVvz3g3hNAbhNp8U:KwR1pjiy4Rez7Nuxhj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3008	hummy.exe

Loads dropped DLL 2 IoCs

pid	Process
1156	1b79a12ae5e9ed524d7a0da7e0a8d1978c89d1d44382279a7a28f64344363759N.exe
1156	1b79a12ae5e9ed524d7a0da7e0a8d1978c89d1d44382279a7a28f64344363759N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1b79a12ae5e9ed524d7a0da7e0a8d1978c89d1d44382279a7a28f64344363759N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hummy.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 3008	1156	1b79a12ae5e9ed524d7a0da7e0a8d1978c89d1d44382279a7a28f64344363759N.exe	30
PID 1156 wrote to memory of 3008	1156	1b79a12ae5e9ed524d7a0da7e0a8d1978c89d1d44382279a7a28f64344363759N.exe	30
PID 1156 wrote to memory of 3008	1156	1b79a12ae5e9ed524d7a0da7e0a8d1978c89d1d44382279a7a28f64344363759N.exe	30
PID 1156 wrote to memory of 3008	1156	1b79a12ae5e9ed524d7a0da7e0a8d1978c89d1d44382279a7a28f64344363759N.exe	30

C:\Users\Admin\AppData\Local\Temp\1b79a12ae5e9ed524d7a0da7e0a8d1978c89d1d44382279a7a28f64344363759N.exe
"C:\Users\Admin\AppData\Local\Temp\1b79a12ae5e9ed524d7a0da7e0a8d1978c89d1d44382279a7a28f64344363759N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Users\Admin\AppData\Local\Temp\hummy.exe
  "C:\Users\Admin\AppData\Local\Temp\hummy.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hummy.exe

Filesize
55KB

MD5
a37ddd89dd5eb0a1f13e2037f9502da6

SHA1
f92b7539ddd5d040a3fab9afeb182cfeb9f507cd

SHA256
b5dfad3dd94a6930670543696494f15355440b4b9203804444b845d42521cb5a

SHA512
055faf46105f486165a92d17c6a9b838c940b6b5d9f8a409c40ed2c9ca8b43b2092d01a9e3d3c1ad58136c154f6c7b9ba1bc51d48a4423b80e708edb3a8171c1

Download Submit
memory/1156-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1156-9-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3008-11-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download