959679892b2f80b4a7f39b38ab7a211b10655923b2630682f6a3893d287473dc

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 21:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ba38c64eb5cec7a98e861c449b679d5af90277ac6698248c8d103804c7812228.exe
Size

1.9MB
MD5

a7b42e2e499136244140436e530be781
SHA1

e3194cad117605cf6fbd6326e3c0262bd6e639b1
SHA256

ba38c64eb5cec7a98e861c449b679d5af90277ac6698248c8d103804c7812228
SHA512

44011daf1c056ddb40699cf39b3db68456a7fdf914c12aef3238c09b9f761fdee0fbb0475b82ffaaa96c47b3e06872432a3d2f71e3316acb9791443b16f151a0
SSDEEP

24576:N2oo60HPdt+1CRiY2eOBvcj3u10dXRK4jij0ig67VbNklsvuJeH2Ft0A6mCDJFBC:Qoa1taC070dX5jKVbNrWJ5f6J97uBKD2

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1596	9904.tmp

Executes dropped EXE 1 IoCs

pid	Process
1596	9904.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba38c64eb5cec7a98e861c449b679d5af90277ac6698248c8d103804c7812228.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9904.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 1596	4980	ba38c64eb5cec7a98e861c449b679d5af90277ac6698248c8d103804c7812228.exe	86
PID 4980 wrote to memory of 1596	4980	ba38c64eb5cec7a98e861c449b679d5af90277ac6698248c8d103804c7812228.exe	86
PID 4980 wrote to memory of 1596	4980	ba38c64eb5cec7a98e861c449b679d5af90277ac6698248c8d103804c7812228.exe	86

C:\Users\Admin\AppData\Local\Temp\ba38c64eb5cec7a98e861c449b679d5af90277ac6698248c8d103804c7812228.exe
"C:\Users\Admin\AppData\Local\Temp\ba38c64eb5cec7a98e861c449b679d5af90277ac6698248c8d103804c7812228.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Users\Admin\AppData\Local\Temp\9904.tmp
  "C:\Users\Admin\AppData\Local\Temp\9904.tmp" --splashC:\Users\Admin\AppData\Local\Temp\ba38c64eb5cec7a98e861c449b679d5af90277ac6698248c8d103804c7812228.exe 34E731A2BB3FBB568FAD4BC2C73B538CF23EFF1930A3C23DF35CFB33B7F86A93EBF42EF3DB922098A09A0177A28BAB5DA353AD927CB41CA8EA5A39CF7917BF5D
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9904.tmp

Filesize
1.9MB

MD5
aae7377ce563f17dcc2834c386483d73

SHA1
1ccc2226730511c8a317f7352fde5d441db85cc6

SHA256
a356545472e49ced21982efc637c458351966e1b5ad6b97852c65008697501f8

SHA512
b3725439d90dffb049e6afd68db141eb470d3e00645209364581cd7cc2b3d9bd1980765e4e777db171b74ff94003eacf9bb149badf39db3165005bbb04942962

Download Submit
memory/1596-5-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/4980-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download