3266733f7763416a17a0a18aa06d493d535639bcd9cf969f6233f25591864eb0

Analysis

max time kernel
142s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3266733f7763416a17a0a18aa06d493d535639bcd9cf969f6233f25591864eb0.exe
Size

6.0MB
MD5

87b79dddbefea4f9d56dd0b47434282f
SHA1

17fe3a559739e56a3a6ee6bd5ebe7a75a8d1aeb8
SHA256

3266733f7763416a17a0a18aa06d493d535639bcd9cf969f6233f25591864eb0
SHA512

66c0ea79839f0c6caadc701051f86a1b00a85b559593ed717b682b4aa1b393b81bd1b63ead7c331ec3cae89d3366290ac8631345e42ca0df04640779f8b1ce78
SSDEEP

98304:emhd1UryeY3F1D8h+Uy5csV7wQqZUha5jtSyZIUS:el43jHes2QbaZtlir

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2460	BDD2.tmp

Executes dropped EXE 1 IoCs

pid	Process
2460	BDD2.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3266733f7763416a17a0a18aa06d493d535639bcd9cf969f6233f25591864eb0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BDD2.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2460	1744	3266733f7763416a17a0a18aa06d493d535639bcd9cf969f6233f25591864eb0.exe	87
PID 1744 wrote to memory of 2460	1744	3266733f7763416a17a0a18aa06d493d535639bcd9cf969f6233f25591864eb0.exe	87
PID 1744 wrote to memory of 2460	1744	3266733f7763416a17a0a18aa06d493d535639bcd9cf969f6233f25591864eb0.exe	87

C:\Users\Admin\AppData\Local\Temp\3266733f7763416a17a0a18aa06d493d535639bcd9cf969f6233f25591864eb0.exe
"C:\Users\Admin\AppData\Local\Temp\3266733f7763416a17a0a18aa06d493d535639bcd9cf969f6233f25591864eb0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Local\Temp\BDD2.tmp
  "C:\Users\Admin\AppData\Local\Temp\BDD2.tmp" --splashC:\Users\Admin\AppData\Local\Temp\3266733f7763416a17a0a18aa06d493d535639bcd9cf969f6233f25591864eb0.exe 93F2866771D7BB4E3BE917A32E514284D1E66ABB5FF557D61991B3862E21EA77D5B848547A0EB962F2A30B74AFE39720348C705C0984684419557CF75BF3A840
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BDD2.tmp

Filesize
6.0MB

MD5
c7a6216d965ff2e5a00461e385660ab9

SHA1
cb15ababa6d5c4aaab9ec69815661f5f3737aa2b

SHA256
8b27d85d7a339fac60d5ef3b9cff63f518f827ae005c7d701e950cae2b3bcfd9

SHA512
c68ae9b868dfca867fe921c1f2f1c9f819590c40e9d34febab939cfe3009202f47f5276ecb1eb5765529b1ed545eefc831c7d588f1eadb68266a2ff39b9d8160

Download Submit
memory/1744-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/2460-5-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download