fe57170e1be1fe29f21b81d02c30a352207e663996c2bd07c3166c7b01e4b5a9

Analysis

max time kernel
102s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e80b57a9b5b3f3a5ff3edbc01595200N.exe
Size

1024KB
MD5

5e80b57a9b5b3f3a5ff3edbc01595200
SHA1

f091052d4adfa562147c8d6aaddc9773a7b4a595
SHA256

fe57170e1be1fe29f21b81d02c30a352207e663996c2bd07c3166c7b01e4b5a9
SHA512

300bc63fe4b95435e31bd345d29bc52e71a8149da849aeec12f421f5c24051dcec07ec45f4d41849198fb97a7696f4478f5b03ad226ea50d6d7bff4a7534045c
SSDEEP

24576:Uam3rV3C5USOHS16lvVJJLr7oNEDAw4GLZmN1VUZmSordfqs:Uam3r5S+SQlVDr7oq34CZmXiZmSadfq

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3904	7A21.tmp

Executes dropped EXE 1 IoCs

pid	Process
3904	7A21.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e80b57a9b5b3f3a5ff3edbc01595200N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7A21.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 3904	4496	5e80b57a9b5b3f3a5ff3edbc01595200N.exe	84
PID 4496 wrote to memory of 3904	4496	5e80b57a9b5b3f3a5ff3edbc01595200N.exe	84
PID 4496 wrote to memory of 3904	4496	5e80b57a9b5b3f3a5ff3edbc01595200N.exe	84

C:\Users\Admin\AppData\Local\Temp\5e80b57a9b5b3f3a5ff3edbc01595200N.exe
"C:\Users\Admin\AppData\Local\Temp\5e80b57a9b5b3f3a5ff3edbc01595200N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Users\Admin\AppData\Local\Temp\7A21.tmp
  "C:\Users\Admin\AppData\Local\Temp\7A21.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7A21.tmp

Filesize
1024KB

MD5
5114bf0ddef925369546d39bdf8db7f8

SHA1
0f392378e50b02e139b52a11f5eda39ffbc56ec2

SHA256
ea2dead1b83a89fc4a1a5d1fe563026fffaea93142926ae7f5b4f0777602a788

SHA512
8aba44af66a36a1f40d59a7f9bcc1417b19463d4a398070dbcc4ae3ad719f915082a5242dc5715d01d1d35bc248d51427c6d88ccbcb6096ce06f026dbdef5794

Download Submit