6005cc0a1b142455d353a81341b81084b37693c669811cf420386af065793a73

Analysis

max time kernel
593s
max time network
441s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
14-08-2024 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Inspected X l1nez/Install GIT.exe
Size

65.0MB
MD5

ceee36c1a922a546df83f5b8b225b6d6
SHA1

67a159a599b31cf5c46ae5287063ce103665321a
SHA256

ce022a6a19e58bbbd4823f51cf798b006b4a683b93b0616a7bb5beeee901da98
SHA512

eae0604b2ab823d7f9bd5b384420f0e1deafd3318f5d3a6d08b08d4482d34aaa7a2e418323d9707e962b5fcdcf4b26124cbe22d1f1ff6a9900bab02ad78a4bf9
SSDEEP

1572864:Bp3IOX9npCMJr7j5dXH+lbG+DH72eFy3vPjGtLOD6dU:Bp3IonpLb3qlHCeFy33P6dU

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1920	Install GIT.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install GIT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install GIT.tmp

Runs net.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 1920	4948	Install GIT.exe	82
PID 4948 wrote to memory of 1920	4948	Install GIT.exe	82
PID 4948 wrote to memory of 1920	4948	Install GIT.exe	82
PID 1920 wrote to memory of 3476	1920	Install GIT.tmp	83
PID 1920 wrote to memory of 3476	1920	Install GIT.tmp	83
PID 3476 wrote to memory of 2676	3476	cmd.exe	85
PID 3476 wrote to memory of 2676	3476	cmd.exe	85
PID 2676 wrote to memory of 2412	2676	net.exe	86
PID 2676 wrote to memory of 2412	2676	net.exe	86

C:\Users\Admin\AppData\Local\Temp\Inspected X l1nez\Install GIT.exe
"C:\Users\Admin\AppData\Local\Temp\Inspected X l1nez\Install GIT.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Users\Admin\AppData\Local\Temp\is-JRN5E.tmp\Install GIT.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-JRN5E.tmp\Install GIT.tmp" /SL5="$50106,66949336,867328,C:\Users\Admin\AppData\Local\Temp\Inspected X l1nez\Install GIT.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /d /c net session >"C:\Users\Admin\AppData\Local\Temp\is-OEMF1.tmp\net-session.txt"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-JRN5E.tmp\Install GIT.tmp

Filesize
3.1MB

MD5
2199ee2b5b3fe51b2780cd4eef861c80

SHA1
3ec72b2e03fc17c6d710fabd9fed0ddb37e6a674

SHA256
94be0c91ff410dad7af511ad32e27e04ddd145e1bec474a5a3b1149fc23cc0de

SHA512
70967c56b93794f396de27821e642543cfdcd3f5f0cdc22e04f1757bf1698a56119d9fabb8af61080dcff8eafd82b50569a6c87877e88a1e970512f097bdde47

Download Submit
memory/1920-6-0x0000000000400000-0x000000000071D000-memory.dmp

Filesize
3.1MB

Download
memory/1920-10-0x0000000000400000-0x000000000071D000-memory.dmp

Filesize
3.1MB

Download
memory/4948-1-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4948-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4948-9-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download