07c2fb4fb2afe94a96a5df90e7315dd2361aed5ba6956af09d2ec090c4963b6d

Analysis

max time kernel
104s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2024, 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59939e932d9a1444570f03e9357ca7f0N.exe
Size

6.0MB
MD5

59939e932d9a1444570f03e9357ca7f0
SHA1

dcbb0cc5e577d986b95ae4362343ed5ed70e6f68
SHA256

07c2fb4fb2afe94a96a5df90e7315dd2361aed5ba6956af09d2ec090c4963b6d
SHA512

2d47eb2b474f541f952e53f5af5e16b92c5b6e1e024177bee87f65c604348ae57f22615f7273479cd1e1a4b5d251163b14ba20f7a90f957778b2fb82fcaf9a93
SSDEEP

98304:emhd1UryenF+r6sVUBcDEaG3V7wQqZUha5jtSyZIUS:ella6sVUcEa+2QbaZtlir

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2456	93B4.tmp

Executes dropped EXE 1 IoCs

pid	Process
2456	93B4.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59939e932d9a1444570f03e9357ca7f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93B4.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2456	1628	59939e932d9a1444570f03e9357ca7f0N.exe	87
PID 1628 wrote to memory of 2456	1628	59939e932d9a1444570f03e9357ca7f0N.exe	87
PID 1628 wrote to memory of 2456	1628	59939e932d9a1444570f03e9357ca7f0N.exe	87

C:\Users\Admin\AppData\Local\Temp\59939e932d9a1444570f03e9357ca7f0N.exe
"C:\Users\Admin\AppData\Local\Temp\59939e932d9a1444570f03e9357ca7f0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\93B4.tmp
  "C:\Users\Admin\AppData\Local\Temp\93B4.tmp" --splashC:\Users\Admin\AppData\Local\Temp\59939e932d9a1444570f03e9357ca7f0N.exe 076E63098B4FB2D40F68D78F6EF5ADFDC4C9645C80ECFC780ABD8857482A4BAD83AD3B82B371E54EE6FCC9AF55092FFDBF4227DB1AE7C8B08F579AC2CB476B1C
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\93B4.tmp

Filesize
6.0MB

MD5
208c16cc005f5f5a56798542ca689767

SHA1
6bdb56104fd5d88c87c0b2b0d1d673cdbc6e7278

SHA256
7a1266c457f0dcf875b6b5f883f224098b732b2f5deb538d9f4ce388d5a39924

SHA512
1e4a0a78e4972eb60ba8774212dd556a30a8e5f1754f7d4f2efaa511141925f42e9661f18f69c1fb1b805934d64e21a60c6fb32150dca47d36aae346c6ee3925

Download Submit
memory/1628-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/2456-5-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download