Analysis
-
max time kernel
93s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2024 03:38
Static task
static1
Behavioral task
behavioral1
Sample
4c406e0cff3e8c4972d7712bfc6c1030N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4c406e0cff3e8c4972d7712bfc6c1030N.exe
Resource
win10v2004-20240730-en
General
-
Target
4c406e0cff3e8c4972d7712bfc6c1030N.exe
-
Size
73KB
-
MD5
4c406e0cff3e8c4972d7712bfc6c1030
-
SHA1
b1dfb861beda6bd250da789eaeee3fca8a213bb6
-
SHA256
0f449b13396a7bbeaffb355f86a8d053c250e9640aa2e37214c79b1c617fc60e
-
SHA512
b33786c7085a59b1f2fda42636a07c78429b2de377fb4ed73e85a7b45836847b8ed21b58cad8bca8472298da8bec2fe3ae310efb39099c1c3e3757c4cda1fb80
-
SSDEEP
1536:hbUtOWnhU/X9K5QPqfhVWbdsmA+RjPFLC+e5hE0ZGUGf2g:hQtOWnG/tNPqfcxA+HFshEOg
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1536 [email protected] -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4c406e0cff3e8c4972d7712bfc6c1030N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 436 wrote to memory of 4912 436 4c406e0cff3e8c4972d7712bfc6c1030N.exe 84 PID 436 wrote to memory of 4912 436 4c406e0cff3e8c4972d7712bfc6c1030N.exe 84 PID 436 wrote to memory of 4912 436 4c406e0cff3e8c4972d7712bfc6c1030N.exe 84 PID 4912 wrote to memory of 1536 4912 cmd.exe 85 PID 4912 wrote to memory of 1536 4912 cmd.exe 85 PID 4912 wrote to memory of 1536 4912 cmd.exe 85 PID 1536 wrote to memory of 4788 1536 [email protected] 86 PID 1536 wrote to memory of 4788 1536 [email protected] 86 PID 1536 wrote to memory of 4788 1536 [email protected] 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c406e0cff3e8c4972d7712bfc6c1030N.exe"C:\Users\Admin\AppData\Local\Temp\4c406e0cff3e8c4972d7712bfc6c1030N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c [email protected]2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\[email protected]3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 00.exe4⤵
- System Location Discovery: System Language Discovery
PID:4788
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize73KB
MD51f4d81ec4e1f6a10604aa3eadb22ac75
SHA1a3191a4807f5abfd30574835a536b2e8a76ef8ba
SHA25659577f9434707408ebb37b736c5e48670c32f89d5ec080c5fa3f4e6c0154c850
SHA5129716618ed58ffbcc58d0f07d7d8f76a023abb557ee7708db97bf355df0083de62b6e9c4ae90d1e8a4c325c4535f2132184f61a9a0c71318f84ff8eae233a286f
-
Filesize
2KB
MD57b621943a35e7f39cf89f50cc48d7b94
SHA12858a28cf60f38025fffcd0ba2ecfec8511c197d
SHA256bef04c2f89dc115ce2763558933dba1767bf30cda6856d335ae68955923f9991
SHA5124169e664ad4e7e6891a05ceed78465e0ec44879b37fc0de97c014945e10c161f6bfb040efc24edc136e69bb115b2a1327b04cefb58141f712da856129872e8f1