0d2537e504e669f0019f3a1273947fbd26a3f192616fb77419ef53b5f05da01f

Analysis

max time kernel
119s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2024, 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ed7e4866d81ad757e0cabb83111e530N.exe
Size

29KB
MD5

2ed7e4866d81ad757e0cabb83111e530
SHA1

7820fed34918afd7c94aae53c5868dc77fd1332a
SHA256

0d2537e504e669f0019f3a1273947fbd26a3f192616fb77419ef53b5f05da01f
SHA512

89442775dea0eadb34c23bd6c49f152c9c0e84dacd7be2954115c758d4796de3216c50960eee3ef671ff4e06b8cd3c6990cd8a2478f213a934a8682bf2ab07ec
SSDEEP

384:v/4LNJY74JwOllSBQmrb0i5PrmqHIKpa54b5f0iws0wGo+dN:v/qSamrxDmqoKM4Z0iwtwfg

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
852	2024072401.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ed7e4866d81ad757e0cabb83111e530N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024072401.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1604	2ed7e4866d81ad757e0cabb83111e530N.exe
852	2024072401.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 852	1604	2ed7e4866d81ad757e0cabb83111e530N.exe	84
PID 1604 wrote to memory of 852	1604	2ed7e4866d81ad757e0cabb83111e530N.exe	84
PID 1604 wrote to memory of 852	1604	2ed7e4866d81ad757e0cabb83111e530N.exe	84
PID 1604 wrote to memory of 988	1604	2ed7e4866d81ad757e0cabb83111e530N.exe	85
PID 1604 wrote to memory of 988	1604	2ed7e4866d81ad757e0cabb83111e530N.exe	85
PID 1604 wrote to memory of 988	1604	2ed7e4866d81ad757e0cabb83111e530N.exe	85

C:\Users\Admin\AppData\Local\Temp\2ed7e4866d81ad757e0cabb83111e530N.exe
"C:\Users\Admin\AppData\Local\Temp\2ed7e4866d81ad757e0cabb83111e530N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Local\Temp\2024072401.exe
  C:\Users\Admin\AppData\Local\Temp\2024072401.exe down
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\del.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024072401.exe

Filesize
29KB

MD5
4e395a68d8ef0ac2e2d57ac95dba9496

SHA1
0cba65d6f6a4a7767b4e0b827c2f8547321c94ee

SHA256
521fdf837074f23fe1321c648f653507299e90595c937ff22ea0840dd212d2db

SHA512
563d936609c72fb849161e7009c3ecb11469ff27bee1b6d3f8503efcc8dc76a05145423f1015bcd5cdd30c648fb2af8213ec7c739656bc61e069e4c6a81225ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.bat

Filesize
174B

MD5
54bc5fe95331b877f1c6939dd7389bb8

SHA1
0a89b4e5c30e2e98678d45824ea1a06a7024b29c

SHA256
513d3a48dc9473c9b16f70a5694e9863035ec2d8d1d8120bd5a101aaf9cc4774

SHA512
4079ee0a021b4cc51d4e30c2c2048f98609404c9f666d13871f3cb73ebcdb86c12959ab455b27c7ab3aac6044a71f74b53c8607f063bca5efabda91d9f97681d

Download Submit
memory/852-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download