b2eb250795bf6c7f901b27f854393324317a3c3b48e1b699488a0332c750e7ec

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9efa2677fea7f49fbf6caf980370570N.exe
Size

36KB
MD5

d9efa2677fea7f49fbf6caf980370570
SHA1

171a1e8c42a7158b4e93d21c9c56d8ff9c3ae611
SHA256

b2eb250795bf6c7f901b27f854393324317a3c3b48e1b699488a0332c750e7ec
SHA512

730f108927e00ac5fd2ed70cf81e056413689c119fa373e808a3058d296d73db0fee35fdb6834ee85f44d72118b47a938937b60822097f3b0b544983a0a136e7
SSDEEP

768:SeAaL04BLz72FTgIYYU08dEFr3bRktD/9lIaBmb:9AaL0407YAdFrLYzrmb

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	d9efa2677fea7f49fbf6caf980370570N.exe

Executes dropped EXE 1 IoCs

pid	Process
1716	pdf_update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9efa2677fea7f49fbf6caf980370570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdf_update.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 1716	1228	d9efa2677fea7f49fbf6caf980370570N.exe	84
PID 1228 wrote to memory of 1716	1228	d9efa2677fea7f49fbf6caf980370570N.exe	84
PID 1228 wrote to memory of 1716	1228	d9efa2677fea7f49fbf6caf980370570N.exe	84

C:\Users\Admin\AppData\Local\Temp\d9efa2677fea7f49fbf6caf980370570N.exe
"C:\Users\Admin\AppData\Local\Temp\d9efa2677fea7f49fbf6caf980370570N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\pdf_update.exe
  "C:\Users\Admin\AppData\Local\Temp\pdf_update.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pdf_update.exe

Filesize
36KB

MD5
4ef99d51932e3ed7d32dbb6896e5770a

SHA1
05ee8f588e5ec9b72a9961502189cc9f5bf2af06

SHA256
9020e89c5f39e1c6cfd6cc81b4a6b469bd12e81d89140b752a4b0247e4de278a

SHA512
f52f963017b74c8442ab1e0fd3b822374dfba5d40f47a6aa40a17148de26d9717a9faf0a81023a0ab2912379f14e86cd60a755b0e20d3be6fea082bd5002a339

Download Submit
memory/1228-0-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/1716-9-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download