15dfeaa1d3e644fc2627727b72135f00e1d83607de726ac98e8fcd72b40f5bda

Analysis

max time kernel
101s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a92271f5b4e7f4fcda1526199522c70N.exe
Size

97KB
MD5

9a92271f5b4e7f4fcda1526199522c70
SHA1

d645d1800a5e93ac7478709fb8b276aa3466e365
SHA256

15dfeaa1d3e644fc2627727b72135f00e1d83607de726ac98e8fcd72b40f5bda
SHA512

6f88616eb36d7909c4c57596a12f4a18668e4720b9cf370491f3f72d9dc17077a8c47c6fa963bb78610b1002411c15deaa5d79a0ad0ee1d38d0364fbe3f24ca0
SSDEEP

1536:jk3Kfxlw6+JOclgW38j3fxgj5rOSb1Z2Z8CfefrDWO/8nPm8g4pZc:jk3KUJJsj3fKFJP3/r67PmmpZc

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2544	9a92271f5b4e7f4fcda1526199522c70N.exe

Executes dropped EXE 1 IoCs

pid	Process
2544	9a92271f5b4e7f4fcda1526199522c70N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9a92271f5b4e7f4fcda1526199522c70N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3472	9a92271f5b4e7f4fcda1526199522c70N.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3472	9a92271f5b4e7f4fcda1526199522c70N.exe
2544	9a92271f5b4e7f4fcda1526199522c70N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 2544	3472	9a92271f5b4e7f4fcda1526199522c70N.exe	86
PID 3472 wrote to memory of 2544	3472	9a92271f5b4e7f4fcda1526199522c70N.exe	86
PID 3472 wrote to memory of 2544	3472	9a92271f5b4e7f4fcda1526199522c70N.exe	86

C:\Users\Admin\AppData\Local\Temp\9a92271f5b4e7f4fcda1526199522c70N.exe
"C:\Users\Admin\AppData\Local\Temp\9a92271f5b4e7f4fcda1526199522c70N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Users\Admin\AppData\Local\Temp\9a92271f5b4e7f4fcda1526199522c70N.exe
  C:\Users\Admin\AppData\Local\Temp\9a92271f5b4e7f4fcda1526199522c70N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9a92271f5b4e7f4fcda1526199522c70N.exe

Filesize
97KB

MD5
0e0695d903a482edaeefec05cd4a76c4

SHA1
dc6f44ec26b1258ec4ba5652caa6eb8c95218f06

SHA256
8edbf57b7a63981f72fa8997176b8884fdf1b1a531d83b4fc1ceebd32c8b0633

SHA512
d9923c32e588f6e85043e05a4610d1044aeaec9f92c8e51577789c7bbbd25162b4611dfc00258329fefe212f4efe4da8166e5fb6190e45d3d3711e15c8ff8774

Download Submit
memory/2544-13-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2544-14-0x00000000001D0000-0x0000000000200000-memory.dmp

Filesize
192KB

Download
memory/2544-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2544-25-0x0000000004D90000-0x0000000004DAB000-memory.dmp

Filesize
108KB

Download
memory/2544-26-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3472-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3472-1-0x0000000001430000-0x0000000001460000-memory.dmp

Filesize
192KB

Download
memory/3472-2-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3472-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download