6e7694ae8dd15e3b4e0a5a9d3131715ec2f17deb53285609d00d34cb8ffec0a8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
submitted
12-02-2024 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

967dc52fcbae364b572c8d8ce34593f6.exe
Size

6.8MB
MD5

967dc52fcbae364b572c8d8ce34593f6
SHA1

f3256de9d2616aca23345f21028a31ee8821a64b
SHA256

6e7694ae8dd15e3b4e0a5a9d3131715ec2f17deb53285609d00d34cb8ffec0a8
SHA512

82b2b02d8df6eae1225bf869f2fa997cf41a779216bf79eff6626709b2d5ef36f51b7190d0111c33651149666cc0e747498dd8a1f658c72e345e2a2991224811
SSDEEP

49152:nk2mic7iMnbPvRUAm+ugRkqjR7Q8TOc5KubExvCsNGEgveIXB4IujNT/IeswF69B:zmP7i+Rf0es5u2jNTAcSE8wIX

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	967dc52fcbae364b572c8d8ce34593f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 1840	3364	967dc52fcbae364b572c8d8ce34593f6.exe	58
PID 3364 wrote to memory of 1840	3364	967dc52fcbae364b572c8d8ce34593f6.exe	58
PID 3364 wrote to memory of 1840	3364	967dc52fcbae364b572c8d8ce34593f6.exe	58

C:\Users\Admin\AppData\Local\Temp\967dc52fcbae364b572c8d8ce34593f6.exe
"C:\Users\Admin\AppData\Local\Temp\967dc52fcbae364b572c8d8ce34593f6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Windows\SysWOW64\cmd.exe
  cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\s.bat

Filesize
291B

MD5
3c6486006b207cb9a53bd039483f23a3

SHA1
1483d8dbf40d15036c1e1db881e6900010f724ba

SHA256
0850e3fa22da1ae262b6daca5f0da9f92af0e76031b117973b020f11d1acd0a2

SHA512
6cf93a2c3f3d4a392be9ae8f42a4757ad31090eff838413da36ca135ebcfe36f960918ee7a1775a4cf451bc1e88d2d2ed9ddf57fa421059505ac07b858fd0226

Download Submit