a6424cc1d3efc519a6bc61eae187ab89378d374493695d5ce5a1d602eb79d223

Analysis

max time kernel
139s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

itranslator.exe
Size

8.2MB
MD5

39c773dc1a684e370f8850487cd31eae
SHA1

7ecf60a864c35ee9f77c1ec5587f444070769ddb
SHA256

d2286a1d9143bcaeaeef5ced8ca3e33fac408bb6b6f8e636486e74d9d451456a
SHA512

5754fc5fe7f7b98de19475064f0e46cc718c65638a8d6b8018016a780912b6df825282a2c4ae812836fb3dc34f4f42d484001583ea6fecde300f87d250d32f8d
SSDEEP

196608:OTL4wY2cxPV4X1NC6ehoulK75jDvXRCvKERWY0qEOSLtQwpuC:wmPVQLtd7BXRyKEL03

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

itranslator.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	itranslator.exe

Executes dropped EXE 1 IoCs

Processes:

itranslator.exe

pid process

1408 itranslator.exe
Drops file in Windows directory 1 IoCs

Processes:

itranslator.exe

description ioc process

File created C:\Windows\iTranslator itranslator.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

660

pid	process
1408	itranslator.exe

description	ioc	process
File created	C:\Windows\iTranslator	itranslator.exe

pid	process
660

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

itranslator.exe

description	pid	process	target process
PID 1632 wrote to memory of 2972	1632	itranslator.exe	wusa.exe
PID 1632 wrote to memory of 2972	1632	itranslator.exe	wusa.exe
PID 1632 wrote to memory of 2972	1632	itranslator.exe	wusa.exe
PID 1632 wrote to memory of 1408	1632	itranslator.exe	itranslator.exe
PID 1632 wrote to memory of 1408	1632	itranslator.exe	itranslator.exe

C:\Users\Admin\AppData\Local\Temp\itranslator.exe
"C:\Users\Admin\AppData\Local\Temp\itranslator.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\wusa.exe
"C:\Windows\System32\wusa.exe"
2⤵
PID:2972

C:\ProgramData\itranslator\itranslator.exe
"C:\ProgramData\itranslator\itranslator.exe" u660
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\itranslator\itranslator.exe
Filesize
4.2MB

MD5
80a1e65922f40fedd537c30c8addac9c

SHA1
e495e66552295a63c434df2739ae55031447d057

SHA256
381babc4a9782d4e2996b6e7bf8d305689c5a9049c4f617ff32428083f6f1676

SHA512
59acc5ca8b2ceb3281f0d69e2d8614c299bab32e464db0d0df0297531c97882c8796350840c6b709ef729f75d5d64e55b1abbb29509def66c03ac39d92aa0ec3

Download Submit