fc02d696384e1462f897cef7807324de9d7cd5286e23db2385fe72dfd9267af5

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 11:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bad369a230363f3096d7021af19d4b20N.exe
Size

83KB
MD5

bad369a230363f3096d7021af19d4b20
SHA1

25adc415d1cfd073f5bdf25b55b90852e8e1b2a9
SHA256

fc02d696384e1462f897cef7807324de9d7cd5286e23db2385fe72dfd9267af5
SHA512

e5697554c6e5071312e0efaba3e683dcabb640d1bdee5f3085871cd4680816d5133b06efa08c0a84d8afa422842be56b61f6674e4c2f0c0dbeaae7e7b3ec323f
SSDEEP

1536:lvBuveRBHjUWkOQA8A0qUhMb2nuy5wgIP0CS3q+5y1hGB8GMGlZ54:lv0WBJBGhqU7uy5w9NMyPGN54

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2624	[email protected]

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bad369a230363f3096d7021af19d4b20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 2360	864	bad369a230363f3096d7021af19d4b20N.exe	84
PID 864 wrote to memory of 2360	864	bad369a230363f3096d7021af19d4b20N.exe	84
PID 864 wrote to memory of 2360	864	bad369a230363f3096d7021af19d4b20N.exe	84
PID 2360 wrote to memory of 2624	2360	cmd.exe	85
PID 2360 wrote to memory of 2624	2360	cmd.exe	85
PID 2360 wrote to memory of 2624	2360	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\bad369a230363f3096d7021af19d4b20N.exe
"C:\Users\Admin\AppData\Local\Temp\bad369a230363f3096d7021af19d4b20N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
83KB

MD5
0edc981bcf340a4999707a438e1b8bd5

SHA1
3b9dd0898d0e5473b014ef7918edb818541c9f8f

SHA256
2ae15ca31155292de46e51f1eab3443b61f1596261e1bcc55de6b1612f7aa8d0

SHA512
f84eab0accbf5cf6805c513b0f0b97b270864f6f618c5889eaa18f870505156412d3c471d7ea41478a231559d0368d7491bccc3b310190f43575799008a1dcd6

Download Submit
memory/864-6-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2624-5-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download