edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe
Size

1.2MB
MD5

6a2ea5172be0df919da383e58add9ae2
SHA1

62b7b92e8e04e9ab6ca23dda6ae0f59f561a99d0
SHA256

edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a
SHA512

a79145531acb91afdcc65c7c3241ab20b1798872d634d18028e5634bb26c5e43f8a4ed7a576648418a49bcfb93a30937714565cd4cf97158bf9e38b89f821651
SSDEEP

24576:Eid5SKN9efvgu2nGmLHoRyHsSUEjUCWMd2Q:EiuK4Yu23jxwhi

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	fsutil.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2840	edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe
2840	edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2368	2840	edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe	85
PID 2840 wrote to memory of 2368	2840	edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe	85
PID 2840 wrote to memory of 2368	2840	edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe	85
PID 2368 wrote to memory of 4824	2368	cmd.exe	87
PID 2368 wrote to memory of 4824	2368	cmd.exe	87
PID 2368 wrote to memory of 4824	2368	cmd.exe	87
PID 2840 wrote to memory of 2636	2840	edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe	93
PID 2840 wrote to memory of 2636	2840	edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe	93
PID 2840 wrote to memory of 2636	2840	edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe	93
PID 2636 wrote to memory of 536	2636	cmd.exe	95
PID 2636 wrote to memory of 536	2636	cmd.exe	95
PID 2636 wrote to memory of 536	2636	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe
"C:\Users\Admin\AppData\Local\Temp\edfcac1393d9b05a7e85e7088879dab4673f0a793fe03676a8e311b0f7cfef1a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c fsutil usn queryjournal C: > C:\Users\Admin\AppData\Local\Temp\USNDATA.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil usn queryjournal C:
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c fsutil usn queryjournal D: > C:\Users\Admin\AppData\Local\Temp\USNDATA.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil usn queryjournal D:
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\USNDATA.txt

Filesize
401B

MD5
aac4181264a48ba35c957eba43e35653

SHA1
1474405530fa8140716a566a7b37a33a0222b0bb

SHA256
e6290d6c42f2afd129615e98e3fd3436f1fe47e75e31b8a55cdded9e341cd55c

SHA512
7043ef860ec5db39ea87cd8b7ce46569c54acef23dd04460bab1a32c2ed294075b318aa76ccf6efdc0670bec544c366396053c262de33087aeef46b551c8ee2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\USNDATA.txt

Filesize
98B

MD5
a6d987d12490bc3827443e3797a22f98

SHA1
6d0931db25d110a1ab9ec01486f9b897f9cabef7

SHA256
5ed0d6359c6896a82b1cc616f17c4774dbba8db1dfeb28ae4ce18bc989925b46

SHA512
eaf68a62f4001c358314ddf31a4774f2187c8a8939526180e4d131e4672e3a3346f8890263b507bb1f8dac20866d444b1e2b927ccd9667e3ef9662ecc9c6d86d

Download Submit