81a5b5ccc8ef0e8f8c0d919045fbb82484d0a550d1fa2bc2a419beb98a16eedc

Analysis

max time kernel
112s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab5aba6c4abe02ce1469654bd04ae560N.exe
Size

1.8MB
MD5

ab5aba6c4abe02ce1469654bd04ae560
SHA1

16dde5baefb9353e0bd631450a4d731249d95cf7
SHA256

81a5b5ccc8ef0e8f8c0d919045fbb82484d0a550d1fa2bc2a419beb98a16eedc
SHA512

8174f4ea8fe82af1d2a95c8d905f625904d616cf4e9ce227ac6758a471b362ece4a068f90ccc052fc6e48e2142399ee4bc62ba30d7234a7fe5f4cde06f35382d
SSDEEP

49152:FqeNVyO5iBNxiiZQCu9f0BTHgXhfSUbQr:UEIOwj/gJ0ZgXxxbu

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3836	ab5aba6c4abe02ce1469654bd04ae560N.tmp

Loads dropped DLL 1 IoCs

pid	Process
3836	ab5aba6c4abe02ce1469654bd04ae560N.tmp

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab5aba6c4abe02ce1469654bd04ae560N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab5aba6c4abe02ce1469654bd04ae560N.tmp

Kills process with taskkill 1 IoCs

evasion

pid	Process
1444	taskkill.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	35	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 3836	4792	ab5aba6c4abe02ce1469654bd04ae560N.exe	84
PID 4792 wrote to memory of 3836	4792	ab5aba6c4abe02ce1469654bd04ae560N.exe	84
PID 4792 wrote to memory of 3836	4792	ab5aba6c4abe02ce1469654bd04ae560N.exe	84
PID 3836 wrote to memory of 1444	3836	ab5aba6c4abe02ce1469654bd04ae560N.tmp	92
PID 3836 wrote to memory of 1444	3836	ab5aba6c4abe02ce1469654bd04ae560N.tmp	92
PID 3836 wrote to memory of 1444	3836	ab5aba6c4abe02ce1469654bd04ae560N.tmp	92

C:\Users\Admin\AppData\Local\Temp\ab5aba6c4abe02ce1469654bd04ae560N.exe
"C:\Users\Admin\AppData\Local\Temp\ab5aba6c4abe02ce1469654bd04ae560N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Users\Admin\AppData\Local\Temp\is-ICARJ.tmp\ab5aba6c4abe02ce1469654bd04ae560N.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-ICARJ.tmp\ab5aba6c4abe02ce1469654bd04ae560N.tmp" /SL5="$601C6,1181751,780288,C:\Users\Admin\AppData\Local\Temp\ab5aba6c4abe02ce1469654bd04ae560N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" https://setstat.ru/api/savePostback?chid=%s&guid=%s&type=vkdjV_K_D_J.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-FJMR5.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ICARJ.tmp\ab5aba6c4abe02ce1469654bd04ae560N.tmp

Filesize
2.5MB

MD5
42dff2b4641638ce7e32c4d79b66345c

SHA1
dcb87c617a58d6e5914b52574d436c3c095b2331

SHA256
4b543620d0e37104396a5395cb91994ed924d45b5335004dd581b954dc32adf4

SHA512
bde0d1c81c341cc3795d8166e79247e08837b9c84741e4351d14363b02cf057642cde49024f7f7c7271bae4e0a1011eb7378e82a30f5747541206fa0d3b3f6e9

Download Submit
memory/3836-6-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/3836-13-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/3836-20-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/3836-28-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/3836-43-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/4792-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4792-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4792-12-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download