a50d24294959e6c3b9cf48ca8182e25ecd7b58875ad26ae246402641b7a7cb49

Analysis

max time kernel
104s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 00:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

40799c55128c889143e2886a71122f90N.exe
Size

9.8MB
MD5

40799c55128c889143e2886a71122f90
SHA1

853078d2bb6e817d167c3da60ab251fe1a00bb25
SHA256

a50d24294959e6c3b9cf48ca8182e25ecd7b58875ad26ae246402641b7a7cb49
SHA512

6f94343474fd9013a67d7afda81d2852a80a744b2f7fab9b120ee7d040c133135600a8e7bd51c1deb3d87401b3f69b335e5559fffef16b21b70bcf5fcfe32c19
SSDEEP

196608:lVuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuy777777777777777j:lVuuuuuuuuuuuuuuuuuuuuuuuuuuuuum

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5108	svrwsc.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4312-0-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/files/0x000700000002325a-4.dat	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svrwsc.exe	svrwsc.exe
File created	C:\Windows\SysWOW64\svrwsc.exe	40799c55128c889143e2886a71122f90N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40799c55128c889143e2886a71122f90N.exe

C:\Users\Admin\AppData\Local\Temp\40799c55128c889143e2886a71122f90N.exe
"C:\Users\Admin\AppData\Local\Temp\40799c55128c889143e2886a71122f90N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4312

C:\Windows\SysWOW64\svrwsc.exe
C:\Windows\SysWOW64\svrwsc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\svrwsc.exe

Filesize
10.1MB

MD5
8ea5c847c3694e6070926c74e3d6d856

SHA1
f1118c97a5783be3a6a0f6e0481f0826e76be0f9

SHA256
e2e2f89480a6cec33abf5877569338f8c76f6f2b0c19b982be4dc094692ec5fb

SHA512
e29b64640084ee3af6c647998fb2285d971b14415c204bf1263ba59a9d01c5abfab0e751b53fad679408278685fe49b1d09303053a83eca3a883c87bddc6a9f9

Download Submit
memory/4312-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4312-2-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4312-1-0x00000000007E0000-0x00000000007E5000-memory.dmp

Filesize
20KB

Download
memory/4312-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5108-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download