b50bbb4b93fd8ef7a2876b3743dfda6945e9011f406e71b41897244b0b836467

Analysis

max time kernel
145s
max time network
162s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
10-08-2024 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe
Size

750KB
MD5

01bb109640de25e5052b991261824f1c
SHA1

e539fb8e8a9cb6b5b7c11b8de3a782ede04de2dd
SHA256

2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc
SHA512

e2d6607a0eb500da7f5c8a98028d89d0c1e290642c5033072507b2de0bec711ba7e299cd29ce4965c03ae739c9c86620697ff009deee39528b1cbc5225758563
SSDEEP

12288:uh0vbB0rdv7/vGFJJu1Z7kjNfKWS4k5QVqNE8AknzmmtpTqJYQ:uhMt+v7/vGFJJunWSTj0YZFHQ

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
868	2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
868	2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe
4956	2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 868 set thread context of 4956	868	2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe	72

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\niveaukurven.ini	2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe
File opened for modification	C:\Program Files (x86)\vocabulary.Med	2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
868	2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 4956	868	2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe	72
PID 868 wrote to memory of 4956	868	2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe	72
PID 868 wrote to memory of 4956	868	2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe	72
PID 868 wrote to memory of 4956	868	2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe	72
PID 868 wrote to memory of 4956	868	2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe	72

C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe
"C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:868
- C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe
  "C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\rijksdaalder.lnk

Filesize
792B

MD5
10ccdd82ed8dd44462a107042b587158

SHA1
84c983e70faaa28d2b9869e26a07211e63df6be3

SHA256
abe397b1e42bfacc5e80f3e41fd064c59126929c225d076bb39252aa346cc692

SHA512
dc1e591eccbd2a0b524527bfb60d1d824394266d37020b16817d88f4f28ab8b90efa210ce67d9bcba87bd6e7529fd78b8d751ca6be3bbb8d4a3645d00d2f4843

Download Submit
\Users\Admin\AppData\Local\Temp\nsb889A.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
memory/868-675-0x00007FFA478C0000-0x00007FFA47A9B000-memory.dmp

Filesize
1.9MB

Download
memory/868-674-0x00007FFA478C1000-0x00007FFA479CF000-memory.dmp

Filesize
1.1MB

Download
memory/4956-676-0x00007FFA478C0000-0x00007FFA47A9B000-memory.dmp

Filesize
1.9MB

Download
memory/4956-677-0x00000000004A0000-0x0000000001823000-memory.dmp

Filesize
19.5MB

Download