6e19797d7a237e9d130a38f15b926485287c6ce842679aba850725589242c763

Analysis

max time kernel
137s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e19797d7a237e9d130a38f15b926485287c6ce842679aba850725589242c763.exe
Size

94KB
MD5

e89d0d6ba6f99ea0ddcd3cb028c4e74f
SHA1

0c4d37e0947692161c4f162a58feea31d915d34f
SHA256

6e19797d7a237e9d130a38f15b926485287c6ce842679aba850725589242c763
SHA512

3efca72a2dc3fb7d7ad5e48b2ccfa5ce83a00368dd4b1de5c1399ce5df1e542a2167b7e78cec14c9432512e9437a7684a2bc1a6837279205419a38b4d6496325
SSDEEP

1536:Sdyql1M7wIIEuti7rEYivykYkpaWj0OL+G7mJAm/lGAuJMLF4vsnXWkW3H6:SdV1Z1i3QKqSGCJr/lkJ6FQsnv

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2776	sppsrv.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xpwunp.dat	6e19797d7a237e9d130a38f15b926485287c6ce842679aba850725589242c763.exe
File created	C:\Windows\SysWOW64\sppsrv.exe	6e19797d7a237e9d130a38f15b926485287c6ce842679aba850725589242c763.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e19797d7a237e9d130a38f15b926485287c6ce842679aba850725589242c763.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sppsrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 716	5048	6e19797d7a237e9d130a38f15b926485287c6ce842679aba850725589242c763.exe	95
PID 5048 wrote to memory of 716	5048	6e19797d7a237e9d130a38f15b926485287c6ce842679aba850725589242c763.exe	95
PID 5048 wrote to memory of 716	5048	6e19797d7a237e9d130a38f15b926485287c6ce842679aba850725589242c763.exe	95

C:\Users\Admin\AppData\Local\Temp\6e19797d7a237e9d130a38f15b926485287c6ce842679aba850725589242c763.exe
"C:\Users\Admin\AppData\Local\Temp\6e19797d7a237e9d130a38f15b926485287c6ce842679aba850725589242c763.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_del.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:716

C:\Windows\SysWOW64\sppsrv.exe
C:\Windows\SysWOW64\sppsrv.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1288,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=3036 /prefetch:8
1⤵
PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_del.bat

Filesize
294B

MD5
e897199629935eab49a0664af97200d9

SHA1
f95bab57b71407bb62b36317dc9be45d27614bda

SHA256
8aa061c506113ae2fed651a8265505e0a5e02a804e2422f1e145ceb2830f192b

SHA512
f58f5ceb2d73a75500ac5a596de7b28119e0ccf6f9e59c36e59787b4e0afceaf6141ae50801d87007a24b15ca21100afd4c9a30ed44a98f0cd5267fc68d1b55b

Download Submit
C:\Windows\SysWOW64\sppsrv.exe

Filesize
94KB

MD5
7ff5c2c94ce3aa95e26a20b50499a7c6

SHA1
b66b55aa3c0b26353331f69db43301d72394c937

SHA256
c788bf7cf4affba6dfec30bd39142aed148f7d3e91afd96ca70bf884adadad6a

SHA512
765ac20dcc984aff4230eb1bf25e2d189fa91d056b96553e3d63971229fda784c2593933ef4ebcf4cee7a6f2405861d6a571a8ea1cbdfc881a9ef82b8c2d23b6

Download Submit
C:\Windows\SysWOW64\xpwunp.dat

Filesize
740B

MD5
df6a18f80e64d0c7bbc4a1fb66448f88

SHA1
e6f6dafe1fb3f84464aad607abf007d5f1fd0c5b

SHA256
a2fbde641ad9d95add4fc30c89fe55a9cf68ad0413c14f7a449b11c48eff147a

SHA512
4e890c578a1571b3e1c8f4b8c94a432501adce8ca6624230ad345146e3542acdc88c714ce6525a6701ba467cd6da07596bd4831b0d9e89bfba6c68a405a95ef9

Download Submit