a74c7c35d0e2cdd67faa2216dd1c3495e669ffd02529bfa9ae039b1a551c2d5a

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3.exe
Size

1.2MB
MD5

b0a9b6d1fe23191f5833d5aafda03461
SHA1

c75dd2fed0a1e1f4b122e40d8deceb1973a164c0
SHA256

a74c7c35d0e2cdd67faa2216dd1c3495e669ffd02529bfa9ae039b1a551c2d5a
SHA512

f67419ebe55ffd846df564821d9d5c80c94ed8a592f55233f4554f69ecdfabcf78914f86557a4dbd11571d41f788f9ea8e79d496fe96eea57260d5e8f502832f
SSDEEP

24576:iqDEvCTbMWu7rQYlBQcBiT6rprG8aoWUyjaSWIGFYmW:iTvC/MTQYxsWR7aoW9jaSI

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2280 set thread context of 1508	2280	3.exe	86

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1508	svchost.exe
1508	svchost.exe
1508	svchost.exe
1508	svchost.exe
1508	svchost.exe
1508	svchost.exe
1508	svchost.exe
1508	svchost.exe
1508	svchost.exe
1508	svchost.exe
1508	svchost.exe
1508	svchost.exe
1508	svchost.exe
1508	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2280	3.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2280	3.exe
2280	3.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2280	3.exe
2280	3.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 1508	2280	3.exe	86
PID 2280 wrote to memory of 1508	2280	3.exe	86
PID 2280 wrote to memory of 1508	2280	3.exe	86
PID 2280 wrote to memory of 1508	2280	3.exe	86

C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\3.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut8405.tmp

Filesize
281KB

MD5
77dd2dace8366cdbe0063cadb4d693c5

SHA1
893aa467fb4a70dcfbb7838eefdeae34eeb315dc

SHA256
440e10b0d7b7bcdb0455239cf8912bca46c54f3a03afd26c2837ecedebe98dd0

SHA512
d72df71b97e22f14d672ed75163dcb832232ae179c01d3308726874e9e154c65b361162017d56d37bdecdf0a47141fc8d051e8d0118e758d8a735fcdcef94f8d

Download Submit
memory/1508-14-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1508-15-0x0000000001A00000-0x0000000001D4A000-memory.dmp

Filesize
3.3MB

Download
memory/1508-16-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1508-17-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2280-13-0x0000000000B00000-0x0000000000B04000-memory.dmp

Filesize
16KB

Download