25f1979680c26601156c6ba3ad931b555b3f1ce82bf3546f8bf7d6241d3962d8

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25f1979680c26601156c6ba3ad931b555b3f1ce82bf3546f8bf7d6241d3962d8.exe
Size

455KB
MD5

d70754abc051edb0248b7287834808e2
SHA1

9266f535d621c52e7603c1f30be7f67025663003
SHA256

25f1979680c26601156c6ba3ad931b555b3f1ce82bf3546f8bf7d6241d3962d8
SHA512

4be8b38129532429c84835197c329ff69d74a567d00f0fa88319656c531bc3af6326fa24a5692a1ebbe9bc4005a53a52aeb818507c773055b76a4e33c34482ea
SSDEEP

12288:qmkOy5ws5qyKxg3Ismvo2gYcfygnXqD+k3TW:qfOy50Jx+IsV2mfXw+7

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3244	is-3DB9J.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25f1979680c26601156c6ba3ad931b555b3f1ce82bf3546f8bf7d6241d3962d8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-3DB9J.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3656 wrote to memory of 3244	3656	25f1979680c26601156c6ba3ad931b555b3f1ce82bf3546f8bf7d6241d3962d8.exe	84
PID 3656 wrote to memory of 3244	3656	25f1979680c26601156c6ba3ad931b555b3f1ce82bf3546f8bf7d6241d3962d8.exe	84
PID 3656 wrote to memory of 3244	3656	25f1979680c26601156c6ba3ad931b555b3f1ce82bf3546f8bf7d6241d3962d8.exe	84

C:\Users\Admin\AppData\Local\Temp\25f1979680c26601156c6ba3ad931b555b3f1ce82bf3546f8bf7d6241d3962d8.exe
"C:\Users\Admin\AppData\Local\Temp\25f1979680c26601156c6ba3ad931b555b3f1ce82bf3546f8bf7d6241d3962d8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Users\Admin\AppData\Local\Temp\is-TAU6K.tmp\is-3DB9J.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TAU6K.tmp\is-3DB9J.tmp" /SL4 $501E0 "C:\Users\Admin\AppData\Local\Temp\25f1979680c26601156c6ba3ad931b555b3f1ce82bf3546f8bf7d6241d3962d8.exe" 232353 52224
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-TAU6K.tmp\is-3DB9J.tmp

Filesize
648KB

MD5
0360b1d1195775766b2e78a7b463f658

SHA1
8e4b2b1b6d1e4446c979b0cea7db6db7eee21610

SHA256
bee86b674d51b4e21822e44f9408a69d60e282e39f5897888df334c74d840aa4

SHA512
23103b4457952091848f171f5c20351dd55ce1bce209da21c1b6792d6e0b13476a104698c31ad744df2df39408110d73f84b61e627bbb6d1d2a461db4370597d

Download Submit
memory/3244-12-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3244-14-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3656-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3656-2-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/3656-13-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download