0c3ee3977deb2ab25d67d6b346b7c96497c4ff18b76678ca990b8493f23248a4

Analysis

max time kernel
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
submitted
06/03/2024, 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

win.exe
Size

6.8MB
MD5

0721b1d0c9c68c18116273f2c293ff21
SHA1

dac53205b4ba718542138d90eb56f1641f5807b8
SHA256

0c3ee3977deb2ab25d67d6b346b7c96497c4ff18b76678ca990b8493f23248a4
SHA512

012ee21fa04e7e361d4565ba81cc8ba256fb48a75cc93c5c6ea1f77f1e69adc3a5c14275dfe358e72b6f41dd67d174c0bbb4ca26d39f9c08168ccbb9d06d3ba9
SSDEEP

49152:k92mic7iMnbPvRUAm+ugRkqjR7Q8TOc5KubExvCsNGEgveIXB4IuBNT/IeswF69B:BmP7i+Rf0es5u2BNTAcSE8wIX

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 3304	820	win.exe	87
PID 820 wrote to memory of 3304	820	win.exe	87
PID 820 wrote to memory of 3304	820	win.exe	87

C:\Users\Admin\AppData\Local\Temp\win.exe
"C:\Users\Admin\AppData\Local\Temp\win.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:820
- C:\Windows\SysWOW64\cmd.exe
  cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\s.bat

Filesize
262B

MD5
dace4cfc41d54279f64553161c75d806

SHA1
d39661eb638c9a278352de505e26e7b044cc8a02

SHA256
ba823dd59d178cf2f905e66fde280f8e23feb0eb1e85d281a99ff487f8f01c37

SHA512
512e9a434d5a0af2205531dd796ea6d61a37f006261dc4f52d2911672f7222aa76dcc2cddb65b0fa40fb63e9d04ab0608812fa7b5351505c3e30227441ee23ef

Download Submit