2f87be0083646c56a680d10e17b26f55582cfd81446ba5fa49ee3e5cbb695ae8

Analysis

max time kernel
101s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dab3c2214dadbc904b098f373a8fd3b0N.exe
Size

504KB
MD5

dab3c2214dadbc904b098f373a8fd3b0
SHA1

258406d2e5433960d5c07908332a0e354d29867c
SHA256

2f87be0083646c56a680d10e17b26f55582cfd81446ba5fa49ee3e5cbb695ae8
SHA512

2e7d49249d54c2acb122b775d3ec4e6c127f4f2589fa76526150b531f6464ecd0d9b26f5da4e519f1a118d47803872d73b6a14e400f8097137e72a01d03a14ca
SSDEEP

12288:8X/6dDqPkhJhW4KlYdMTUA8j0q7g2iZ1gwrRSU6iQ:+6dDqPk/QYdMTP2bwrwUtQ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2784	EXE91A1.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dab3c2214dadbc904b098f373a8fd3b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXE91A1.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2784	EXE91A1.tmp
2784	EXE91A1.tmp

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2784	1900	dab3c2214dadbc904b098f373a8fd3b0N.exe	84
PID 1900 wrote to memory of 2784	1900	dab3c2214dadbc904b098f373a8fd3b0N.exe	84
PID 1900 wrote to memory of 2784	1900	dab3c2214dadbc904b098f373a8fd3b0N.exe	84
PID 2784 wrote to memory of 3016	2784	EXE91A1.tmp	85
PID 2784 wrote to memory of 3016	2784	EXE91A1.tmp	85

C:\Users\Admin\AppData\Local\Temp\dab3c2214dadbc904b098f373a8fd3b0N.exe
"C:\Users\Admin\AppData\Local\Temp\dab3c2214dadbc904b098f373a8fd3b0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\EXE91A1.tmp
  "C:\Users\Admin\AppData\Local\Temp\EXE91A1.tmp" "C:\Users\Admin\AppData\Local\Temp\OFM91A2.tmp" "C:\Users\Admin\AppData\Local\Temp\dab3c2214dadbc904b098f373a8fd3b0N.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:3016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EXE91A1.tmp

Filesize
980KB

MD5
34cabedafaf5ce498d245242ac48670e

SHA1
7a78f2a64618448f8118203f3c7225f6f84622d0

SHA256
6dbefd357dc6ad020b5f4c7597312029094bdf9cc08bf2ae911bb2617ab28b39

SHA512
6801b911e4272093129cea416d4e8334250f6d393b4d634d251c22922f5c1906516cf53e2958011e7cb3e2a3e86ba74ea2547bbbcaba210db375ac0a6152fe18

Download Submit
C:\Users\Admin\AppData\Local\Temp\OFM91A2.tmp

Filesize
48KB

MD5
f7e8bc4e21956bbf0315ddbcc3f19012

SHA1
ddba9ac3764c6c6179ef7f753833dfd4c30d5779

SHA256
1331cfd849389f235102138dc7dc43e831447f53508836af0b289c0aa0e8cedc

SHA512
194b0e5b52a34e21aacdf0c0da28102befb4faf7cf7b02c64d37e9c71cef2169ef32fec2543b944a7c599c576ee2f32db8f858666d21d8010d585b48aebe26fc

Download Submit