4680fda34192d0274834b36fa2d083922a11edb760531356c93b07ae961ed4d8

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37b6d904c13a7ab0f61df8e61bef9760N.exe
Size

390KB
MD5

37b6d904c13a7ab0f61df8e61bef9760
SHA1

c25da969b08ac17852264f6dffa6b39a840e2030
SHA256

4680fda34192d0274834b36fa2d083922a11edb760531356c93b07ae961ed4d8
SHA512

d482c75038739acb2c13a3d8a888321b3b45b7af51f48a794a689712a1c9b9ebfac895583c31a88f3dfeb6192b4a2e76405c9c86ada972e53f34d869b5f706c2
SSDEEP

12288:tSqQLZQRETdnspKyUWUn4OY5QQzzOPH1rJMP:E99JW64O7QzzM

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1908	appropriate.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\development\appropriate.exe	37b6d904c13a7ab0f61df8e61bef9760N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37b6d904c13a7ab0f61df8e61bef9760N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	appropriate.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4836	37b6d904c13a7ab0f61df8e61bef9760N.exe
4836	37b6d904c13a7ab0f61df8e61bef9760N.exe
4836	37b6d904c13a7ab0f61df8e61bef9760N.exe
4836	37b6d904c13a7ab0f61df8e61bef9760N.exe
1908	appropriate.exe
1908	appropriate.exe
1908	appropriate.exe
1908	appropriate.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 1908	4836	37b6d904c13a7ab0f61df8e61bef9760N.exe	86
PID 4836 wrote to memory of 1908	4836	37b6d904c13a7ab0f61df8e61bef9760N.exe	86
PID 4836 wrote to memory of 1908	4836	37b6d904c13a7ab0f61df8e61bef9760N.exe	86

C:\Users\Admin\AppData\Local\Temp\37b6d904c13a7ab0f61df8e61bef9760N.exe
"C:\Users\Admin\AppData\Local\Temp\37b6d904c13a7ab0f61df8e61bef9760N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Program Files\development\appropriate.exe
  "C:\Program Files\development\appropriate.exe" "33201"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\development\appropriate.exe

Filesize
390KB

MD5
28b1bc727b3ab5a23621f397b8afb193

SHA1
e258c9c0d76007ace3c13024e7a7398ba68c2414

SHA256
5d49b74984f16fdaa4d585a7caf9fe17e3ff72f50575e5a256667b1e9cdd998d

SHA512
c96d991654309f5cb5b5e7423a7ae2f2e53e6a0d41fd27432148eb62639367c8042d53e2ec6ce310afe2179b61cc8b2bf5e5ed67bb2b41a746c1dc12b5837f1b

Download Submit