e7cae85cbc2cad1f80d2335db61d167bd478c4e69ba2343c725d516edcb579fb

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7cae85cbc2cad1f80d2335db61d167bd478c4e69ba2343c725d516edcb579fb.exe
Size

87KB
MD5

5c07cc4269969eb46cc292a9cccaa5e7
SHA1

6f162fe9e7641a9678c031a94645abe3b78981d2
SHA256

e7cae85cbc2cad1f80d2335db61d167bd478c4e69ba2343c725d516edcb579fb
SHA512

cbbaf1e1d586f262967ccfafbc14458300a9f43e30fce94cfe94236c81e1c3cea2655d90c989816da9a95f118e6c4b0d9dd327e4afb3d39c791a3a3cda2f71c8
SSDEEP

1536:GdWvtNFN+F+EchVsM/Vycyq1h6MtVYTjipvF2wI/KR11JdNqNY4X9/:IW1NWcyq1hnbYvQd26xU//

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3044	rianesad.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	icanhazip.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7cae85cbc2cad1f80d2335db61d167bd478c4e69ba2343c725d516edcb579fb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rianesad.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 3044	1772	e7cae85cbc2cad1f80d2335db61d167bd478c4e69ba2343c725d516edcb579fb.exe	85
PID 1772 wrote to memory of 3044	1772	e7cae85cbc2cad1f80d2335db61d167bd478c4e69ba2343c725d516edcb579fb.exe	85
PID 1772 wrote to memory of 3044	1772	e7cae85cbc2cad1f80d2335db61d167bd478c4e69ba2343c725d516edcb579fb.exe	85

C:\Users\Admin\AppData\Local\Temp\e7cae85cbc2cad1f80d2335db61d167bd478c4e69ba2343c725d516edcb579fb.exe
"C:\Users\Admin\AppData\Local\Temp\e7cae85cbc2cad1f80d2335db61d167bd478c4e69ba2343c725d516edcb579fb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Users\Admin\AppData\Local\Temp\rianesad.exe
  C:\Users\Admin\AppData\Local\Temp\rianesad.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rianesad.exe

Filesize
87KB

MD5
fdb0b46e0b4a866265b6116a1055ae41

SHA1
5d45d9084ecfaf44867424913342d57b520d3a13

SHA256
1400bebe316fcde384fddf7cc6c77f4fca8d41e29337addc13366cb826828963

SHA512
f5dfba9b7b1b2081f5f1fb1b074a784b641b67ee9dd034e26b65d39b00a58ae2290832a3345894a03e46ab94d2ab870f239fb5a7fa3544d484b1741885c4336c

Download Submit
memory/1772-1-0x0000000000403000-0x0000000000405000-memory.dmp

Filesize
8KB

Download
memory/3044-5-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download