c9985e616b114b369569a682f68fb0b3b6690946d9dff6d4ed62e397e1074102

Analysis

max time kernel
108s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dsa31fr.zip
Size

37.4MB
MD5

5965defb98ac6184565a08af80cccf0e
SHA1

6a24209eedb6d828d70fb2d77dc1af2e92ea66b7
SHA256

c9985e616b114b369569a682f68fb0b3b6690946d9dff6d4ed62e397e1074102
SHA512

ab633bf546bc230e2e308527a2a06b1e9309507012965314de33b000c585cea2f522364004c8be9d8048a23cbdc68395edf8968552861a404be18cfe2aba326f
SSDEEP

786432:MoftJjfpFI3Q/UeB+Txb9GkV/H1I8kSE0pTQyW7yZ+WmQVqPE:zftJdF2mU2QbU88P0pe9QVqPE

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1600	weuw49gwiZ8.exe
1600	weuw49gwiZ8.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	weuw49gwiZ8.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1600	weuw49gwiZ8.exe
1600	weuw49gwiZ8.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\dsa31fr.zip
1⤵
PID:2924

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1012

C:\Users\Admin\Desktop\weuw49gwiZ8.exe
"C:\Users\Admin\Desktop\weuw49gwiZ8.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1600-0-0x0000000000EFD000-0x000000000176D000-memory.dmp

Filesize
8.4MB

Download
memory/1600-2-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1600-1-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1600-3-0x0000000000DF0000-0x000000000263F000-memory.dmp

Filesize
24.3MB

Download
memory/1600-5-0x0000000000DF0000-0x000000000263F000-memory.dmp

Filesize
24.3MB

Download
memory/1600-7-0x0000000000EFD000-0x000000000176D000-memory.dmp

Filesize
8.4MB

Download
memory/1600-8-0x0000000000DF0000-0x000000000263F000-memory.dmp

Filesize
24.3MB

Download