130a9133e751221a661fc2f9c4eda28faa9f309528812d76fbf3f170af6533fd

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69be3d3443e619b7df35cc7e8f9f6a50N.exe
Size

5.4MB
MD5

69be3d3443e619b7df35cc7e8f9f6a50
SHA1

acaf1cb8ec51d54e8d3b0281bd02b059b66791ce
SHA256

130a9133e751221a661fc2f9c4eda28faa9f309528812d76fbf3f170af6533fd
SHA512

2a2d44fa0a97e85ec68d581c21fc551cd9ab4e2bb244870f1ac1942af143204ef84d2a5934c3af33dd0b1e3acaade64ba8d961cb9f9a32d3947bcf9fca42f259
SSDEEP

98304:emhd1UryeOpuwTInFmqhucZaPIV7wQqZUha5jtSyZIUh:elJcyhEPI2QbaZtliU

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4516	F6A4.tmp

Executes dropped EXE 1 IoCs

pid	Process
4516	F6A4.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69be3d3443e619b7df35cc7e8f9f6a50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F6A4.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 4516	4796	69be3d3443e619b7df35cc7e8f9f6a50N.exe	85
PID 4796 wrote to memory of 4516	4796	69be3d3443e619b7df35cc7e8f9f6a50N.exe	85
PID 4796 wrote to memory of 4516	4796	69be3d3443e619b7df35cc7e8f9f6a50N.exe	85

C:\Users\Admin\AppData\Local\Temp\69be3d3443e619b7df35cc7e8f9f6a50N.exe
"C:\Users\Admin\AppData\Local\Temp\69be3d3443e619b7df35cc7e8f9f6a50N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Users\Admin\AppData\Local\Temp\F6A4.tmp
  "C:\Users\Admin\AppData\Local\Temp\F6A4.tmp" --splashC:\Users\Admin\AppData\Local\Temp\69be3d3443e619b7df35cc7e8f9f6a50N.exe 1C254988ED46E74374EA13C44E5D039D68C3084C0A0D1A7BEED292721C76FD43F5EDF589AC56DE03518FE8D85615960BDBB981206DB2FC23436CE87A2E2B2523
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F6A4.tmp

Filesize
5.4MB

MD5
0f1ff456db9da9d8a00b903983a9a00a

SHA1
560a0290e69dbfba3616f0df431f906149465c9f

SHA256
79374d099f73d9ac00da8b0894f001f49d54dc99679228b1737def67c6baa003

SHA512
4e8cf0a751e9a2dc65a8521adaa98a294204e8c1fd8b2883dd2fa4f51214cbfb86b5ce78627e4fd31d5f113e702d828edab70c32ce775a06a13ec2ed029bedbb

Download Submit
memory/4516-5-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/4796-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download