71ef4ef378e7650d22e67b553e1746407db9cdab60b9ce80118a1d472f6f0871

Resubmissions

28-08-2024 22:18

240828-1737qsyhlb 8

28-08-2024 22:16

240828-164rwa1dmj 3

28-08-2024 22:11

240828-13w8mayfnd 3

Analysis

max time kernel
15s
max time network
15s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2024 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Multi Tool V1.exe
Size

102KB
MD5

8fbdf5098eada7d66ba3461be11ecb82
SHA1

6be85f474692d7c73fcfa4b598c7ba1e30541860
SHA256

71ef4ef378e7650d22e67b553e1746407db9cdab60b9ce80118a1d472f6f0871
SHA512

d8850ef499cb6afe84a4df35964e9f00fe27c52eaac61c0c2384dc0da334337e1ff1e1d388cb0f25f4ce333522c7dfe4f8f359f9d8ab858c398b73ac67b93197
SSDEEP

1536:Io7ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIf/w0UhTVlOir8:ImFfHgTWmCRkGbKGLeNTBf/UvOU8

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Multi Tool V1.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
532	timeout.exe
2876	timeout.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 3032	5100	Multi Tool V1.exe	85
PID 5100 wrote to memory of 3032	5100	Multi Tool V1.exe	85
PID 3032 wrote to memory of 1212	3032	cmd.exe	86
PID 3032 wrote to memory of 1212	3032	cmd.exe	86
PID 3032 wrote to memory of 532	3032	cmd.exe	96
PID 3032 wrote to memory of 532	3032	cmd.exe	96
PID 3032 wrote to memory of 2876	3032	cmd.exe	100
PID 3032 wrote to memory of 2876	3032	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\Multi Tool V1.exe
"C:\Users\Admin\AppData\Local\Temp\Multi Tool V1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8712.tmp\8713.tmp\8714.bat "C:\Users\Admin\AppData\Local\Temp\Multi Tool V1.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1212
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:532
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8712.tmp\8713.tmp\8714.bat

Filesize
11KB

MD5
65ec6a1a73222de6e0293626ee28abdc

SHA1
d1f130ba20fddf6fb9a4fa8e9cb55496a6936339

SHA256
9c363ae50e304866ae39424a37bd9515e51f4ab7e918003e51267c20d7514ebb

SHA512
e9ed37fd85999c7ea8dba136fffc3f862bcbb0254f84cee62f92c6c6650548d900a52f2e0a635fa589c650eae9c901fb2b1067fb5baefe284aa86dc65e656b2e

Download Submit