d49b7c53b9493f64813aa78dc69f907920a2151193b9914efe3274db8301b641

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6f86e1af16ab6dc5bb0824b79d4a1d0N.exe
Size

24KB
MD5

a6f86e1af16ab6dc5bb0824b79d4a1d0
SHA1

c617b7c8e0a4e2c3587f2ee89da0be8d655443f9
SHA256

d49b7c53b9493f64813aa78dc69f907920a2151193b9914efe3274db8301b641
SHA512

3b60a1bf501b0d837dd2729164064f8759027f211fe6fc9475a65792bdffdb6b0a679397a94199c363e0af9946024fed8f9f6f7a3820649cee36b014ce540990
SSDEEP

768:ErznmMeTddsf9F7Rj8tXQ8vGIDflLLdlBF+pbb8:EfmrTdGu5Zv/f5m8

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3540	rmass.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000900000002344a-3.dat	upx
behavioral2/memory/3540-4-0x0000000000400000-0x0000000000411000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\rmass.exe	a6f86e1af16ab6dc5bb0824b79d4a1d0N.exe
File created	C:\Windows\SysWOW64\rmass.exe	a6f86e1af16ab6dc5bb0824b79d4a1d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6f86e1af16ab6dc5bb0824b79d4a1d0N.exe

C:\Users\Admin\AppData\Local\Temp\a6f86e1af16ab6dc5bb0824b79d4a1d0N.exe
"C:\Users\Admin\AppData\Local\Temp\a6f86e1af16ab6dc5bb0824b79d4a1d0N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4632
- C:\Windows\SysWOW64\rmass.exe
  "C:\Windows\system32\rmass.exe"
  2⤵
  - Executes dropped EXE
  PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rmass.exe

Filesize
20KB

MD5
8c9495ff3e155e3e96c5ff492f81af1f

SHA1
7912796f51b63f80685d01ae609680e9071f841e

SHA256
5cacdac931bc0937a2eabf60c36a30ae9914e3301ba5a71b6c65fd80bbdebc56

SHA512
51ea5c4c0b832e76b7e4af3692260cc3f7f85b1b57936d08984bcda40a743d986584469d80916b7e02e6e19ad0c1d6640aa7b9252520434834c5791385f2b1d3

Download Submit
memory/3540-4-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3540-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4632-0-0x0000000077DA2000-0x0000000077DA3000-memory.dmp

Filesize
4KB

Download
memory/4632-5-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download