fa337f53515da48c0134af74cf3b2d557c562b6ff4a8262bcb347cf4aecbfb4a

Resubmissions

17/08/2024, 17:13

240817-vrw6lazdqj 3

17/08/2024, 17:13

240817-vrj62azdnp 3

17/08/2024, 17:06

240817-vmkl1awglg 3

Analysis

max time kernel
15s
max time network
24s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
17/08/2024, 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kms_pico_fake_dll.dll
Size

2.4MB
MD5

2dd6d74189ce256e6bcb088d7a3ee29c
SHA1

47f3618d4f68a8cf1c9eda3b6b18e8b8e721ced3
SHA256

fa337f53515da48c0134af74cf3b2d557c562b6ff4a8262bcb347cf4aecbfb4a
SHA512

c232e6b3258ca7387b923ca781f84b65490b11570474ea3355083a13dcef0699d16ef370fd04b01befdf6aa39275f2b097f83bc9ac03c06bf8bf1a9fe70ced64
SSDEEP

49152:Dh39oIisk10LW6O+eTFtQkhBTK0oxjzTqNdj4lt+IIf+vjxV4Ye3X:DEf10LteTFikhBTK0kXTqjj4l3vHy3

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 212	4296	rundll32.exe	70
PID 4296 wrote to memory of 212	4296	rundll32.exe	70
PID 4296 wrote to memory of 212	4296	rundll32.exe	70

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\kms_pico_fake_dll.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\kms_pico_fake_dll.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/212-0-0x0000000002F80000-0x0000000002F86000-memory.dmp

Filesize
24KB

Download
memory/212-1-0x0000000010000000-0x000000001026D000-memory.dmp

Filesize
2.4MB

Download
memory/212-3-0x0000000004AE0000-0x0000000004BF6000-memory.dmp

Filesize
1.1MB

Download
memory/212-7-0x0000000004C10000-0x0000000004D09000-memory.dmp

Filesize
996KB

Download
memory/212-4-0x0000000004C10000-0x0000000004D09000-memory.dmp

Filesize
996KB

Download
memory/212-8-0x0000000004C10000-0x0000000004D09000-memory.dmp

Filesize
996KB

Download