31eaf59cea3e2333e16ee808800b20c9a28a4db51f73fbf786ca2255b1cd200b

Analysis

max time kernel
94s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 15:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2b291d24bb315b4e0fef22878c600a70N.exe
Size

7.0MB
MD5

2b291d24bb315b4e0fef22878c600a70
SHA1

799af54e1dbdab3565e8a6d8f54c1b29bf1a4638
SHA256

31eaf59cea3e2333e16ee808800b20c9a28a4db51f73fbf786ca2255b1cd200b
SHA512

ed0932ecf77cd6c7e34e7b919ba43af008f259632176312b702edc3a90391b044b130cfdcfc97c602b40631ec683ef17e698ccbb77950906875a5ac942817ca5
SSDEEP

98304:emhd1Uryeoyt6zLV3bFSmrGoZ2amHV7wQqZUha5jtSyZIUbn:elI9rSsGytmH2QbaZtliK

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4136	B47B.tmp

Executes dropped EXE 1 IoCs

pid	Process
4136	B47B.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b291d24bb315b4e0fef22878c600a70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B47B.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 4136	3932	2b291d24bb315b4e0fef22878c600a70N.exe	86
PID 3932 wrote to memory of 4136	3932	2b291d24bb315b4e0fef22878c600a70N.exe	86
PID 3932 wrote to memory of 4136	3932	2b291d24bb315b4e0fef22878c600a70N.exe	86

C:\Users\Admin\AppData\Local\Temp\2b291d24bb315b4e0fef22878c600a70N.exe
"C:\Users\Admin\AppData\Local\Temp\2b291d24bb315b4e0fef22878c600a70N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Users\Admin\AppData\Local\Temp\B47B.tmp
  "C:\Users\Admin\AppData\Local\Temp\B47B.tmp" --splashC:\Users\Admin\AppData\Local\Temp\2b291d24bb315b4e0fef22878c600a70N.exe C4098CB6E740ADA5D229DD65721965D9E5CC2135C365680A12C02F3EF679CE5DBA3F1A0EA80B1BF813AA8D0A45CAE10EE5963DCBEE5E3C6EFAE77C076E8973CB
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B47B.tmp

Filesize
7.0MB

MD5
e718adce5294d014e64308b5f194efb8

SHA1
889ac135988d467c8d7d04c059f619f2429b0b78

SHA256
bba110dbbe7c68cb4b61f8782d3f4445b2f694ba72f8ac93d7cde3bbd9a68208

SHA512
9c5cfc0110dc8b003e01a3c6279f941fafe5d92aa5fcb8b4fc426e33825f6504e463e7a24b49aba460bd27b39f3d3114deac78d3c05dd5cd3c0bebd4819fafd1

Download Submit
memory/3932-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/4136-5-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download