c02aa4559762d16b9fad2e0653a7ceaa27a758675af7ad51cd0defc5f73b856f

Analysis

max time kernel
110s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe7068de4977730de984f6f64276ac40N.exe
Size

1.7MB
MD5

fe7068de4977730de984f6f64276ac40
SHA1

8048446ef41aefb9e8527af313e96bfb5d9f86e7
SHA256

c02aa4559762d16b9fad2e0653a7ceaa27a758675af7ad51cd0defc5f73b856f
SHA512

7e5406862d25c01d46e85c6cf848d4f3b295da8114cbe37570ebbf388cf2225c2e3f9226cf7dff3dc4c09529b66e0f2323d8a2e280216ac37fc1b0a76276f3a2
SSDEEP

24576:Z7FUDowAyrTVE3U5F1CxMET3L39L1CCJYHXy1ZSoRnIRST2b+vKtL9mxZNXqCe2:ZBuZrEUWXjCtHwZSoRnkcy5mtqI

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2484	fe7068de4977730de984f6f64276ac40N.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe7068de4977730de984f6f64276ac40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe7068de4977730de984f6f64276ac40N.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 2484	4444	fe7068de4977730de984f6f64276ac40N.exe	86
PID 4444 wrote to memory of 2484	4444	fe7068de4977730de984f6f64276ac40N.exe	86
PID 4444 wrote to memory of 2484	4444	fe7068de4977730de984f6f64276ac40N.exe	86

C:\Users\Admin\AppData\Local\Temp\fe7068de4977730de984f6f64276ac40N.exe
"C:\Users\Admin\AppData\Local\Temp\fe7068de4977730de984f6f64276ac40N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Users\Admin\AppData\Local\Temp\is-72MSU.tmp\fe7068de4977730de984f6f64276ac40N.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-72MSU.tmp\fe7068de4977730de984f6f64276ac40N.tmp" /SL5="$D002E,840718,816128,C:\Users\Admin\AppData\Local\Temp\fe7068de4977730de984f6f64276ac40N.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-72MSU.tmp\fe7068de4977730de984f6f64276ac40N.tmp

Filesize
3.0MB

MD5
b9dd1c1e746c37a247a4851c655db5eb

SHA1
e055fba0b073c813d3136f6be70dd9f111a736ad

SHA256
f8d45949d04e1e4ef80aa374365cfff9fe257e599d8ec01fd5953440ec86b3b5

SHA512
e37dfa9f230c474cb99067b47e97a5f624849d8138574d64280ebc221038b6fc3531693a6786e7e1ede5026b097db37c77529af175d45db63c2b25bafb71434a

Download Submit
memory/2484-6-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/2484-13-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/4444-0-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/4444-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4444-11-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download