5a2fb74b9d314cd7647289bd9c224f45d228526943eb25abbc5138a9dbc69021

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a2fb74b9d314cd7647289bd9c224f45d228526943eb25abbc5138a9dbc69021.exe
Size

528KB
MD5

7c5086017d4d315310dc86e206d09702
SHA1

3996f4e7a1d8fb3705870b047096f7b51c96c0f9
SHA256

5a2fb74b9d314cd7647289bd9c224f45d228526943eb25abbc5138a9dbc69021
SHA512

183f02e9449b6257019fa94420ba8dc4319ae77d067348e624069f3314dfef60db2319b51efaba3703e1139cc317c4beeb6208a2d1c4e77ad1ed112cc3bc31d4
SSDEEP

12288:hmLoLgmqLjKDzsMLYvNMy2RFQny1nve0mF:hmLoLgJLjKDzs9NMy2RFQny1nve0M

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	5a2fb74b9d314cd7647289bd9c224f45d228526943eb25abbc5138a9dbc69021.exe

Deletes itself 1 IoCs

pid	Process
1148	Sysceamnakwv.exe

Executes dropped EXE 1 IoCs

pid	Process
1148	Sysceamnakwv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a2fb74b9d314cd7647289bd9c224f45d228526943eb25abbc5138a9dbc69021.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamnakwv.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	5a2fb74b9d314cd7647289bd9c224f45d228526943eb25abbc5138a9dbc69021.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe
1148	Sysceamnakwv.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 1148	3088	5a2fb74b9d314cd7647289bd9c224f45d228526943eb25abbc5138a9dbc69021.exe	90
PID 3088 wrote to memory of 1148	3088	5a2fb74b9d314cd7647289bd9c224f45d228526943eb25abbc5138a9dbc69021.exe	90
PID 3088 wrote to memory of 1148	3088	5a2fb74b9d314cd7647289bd9c224f45d228526943eb25abbc5138a9dbc69021.exe	90

C:\Users\Admin\AppData\Local\Temp\5a2fb74b9d314cd7647289bd9c224f45d228526943eb25abbc5138a9dbc69021.exe
"C:\Users\Admin\AppData\Local\Temp\5a2fb74b9d314cd7647289bd9c224f45d228526943eb25abbc5138a9dbc69021.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Users\Admin\AppData\Local\Temp\Sysceamnakwv.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamnakwv.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sysceamnakwv.exe

Filesize
528KB

MD5
026b9b34ff09a6658326d65f7e79d2e5

SHA1
206205c710e6582dcd2c1c02dddc9fe19eff8274

SHA256
251452958b1b4a0409f2ad83f7ae17ad17453c898967896262b516ed774fd2a1

SHA512
fba7180d288347c18b2116777ac605cc5b29f6580cfc60da247f3e33446130add882f6ea7a261913983b7791fcdd44919eb23a0ac030956f1a4dded968b0c647

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
7f343f4706d5c2185e13e9e7f73cd94a

SHA1
d0e4703ef736bf6b8092629723cdaaa6368e9917

SHA256
f86597b83f01fbc6b7f9e8ddc4aef7b5618a06a672fd066cc4f269c95af4292a

SHA512
8041b8fd63f7d4ab185fb3dda1a401abb078c0ea77d58d27d22e1273fd4df7d1bd4627277962ed305430bc14effaa883f5fc861b2cc57a0cd827e700aaac425b

Download Submit