5d25ba09c4ebccbbf7de381f38b7644224952dde232723985d6c743919b0c693

Analysis

max time kernel
140s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 02:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5d25ba09c4ebccbbf7de381f38b7644224952dde232723985d6c743919b0c693.exe
Size

5.0MB
MD5

5bced70e9e37166a10c959803ed8126f
SHA1

fc2d953b0f7db76b47d0ec2886942f2e65b2942a
SHA256

5d25ba09c4ebccbbf7de381f38b7644224952dde232723985d6c743919b0c693
SHA512

ceb98d5b2544b130f1d43fd43b1d1239a30a65c8eb954488da53f858629b1d542975cf23a04aaaeb9bb51ca937afe319a619e92602e17b7909a10d685e4eb45c
SSDEEP

98304:MkLPqEqgAsdRv7uI9VlzaIuyFqEHSjP/EWyi+5pBn5unly1Xt:rPqEqgAsbv7uIrlv7Fq9jP9j+pEnlY9

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3616	5d25ba09c4ebccbbf7de381f38b7644224952dde232723985d6c743919b0c693.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d25ba09c4ebccbbf7de381f38b7644224952dde232723985d6c743919b0c693.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d25ba09c4ebccbbf7de381f38b7644224952dde232723985d6c743919b0c693.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 3616	5072	5d25ba09c4ebccbbf7de381f38b7644224952dde232723985d6c743919b0c693.exe	84
PID 5072 wrote to memory of 3616	5072	5d25ba09c4ebccbbf7de381f38b7644224952dde232723985d6c743919b0c693.exe	84
PID 5072 wrote to memory of 3616	5072	5d25ba09c4ebccbbf7de381f38b7644224952dde232723985d6c743919b0c693.exe	84

C:\Users\Admin\AppData\Local\Temp\5d25ba09c4ebccbbf7de381f38b7644224952dde232723985d6c743919b0c693.exe
"C:\Users\Admin\AppData\Local\Temp\5d25ba09c4ebccbbf7de381f38b7644224952dde232723985d6c743919b0c693.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Local\Temp\is-D0B29.tmp\5d25ba09c4ebccbbf7de381f38b7644224952dde232723985d6c743919b0c693.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-D0B29.tmp\5d25ba09c4ebccbbf7de381f38b7644224952dde232723985d6c743919b0c693.tmp" /SL5="$60252,4337505,876032,C:\Users\Admin\AppData\Local\Temp\5d25ba09c4ebccbbf7de381f38b7644224952dde232723985d6c743919b0c693.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-D0B29.tmp\5d25ba09c4ebccbbf7de381f38b7644224952dde232723985d6c743919b0c693.tmp

Filesize
3.1MB

MD5
9076cc03ff79131f2ab6a40fe3d67862

SHA1
23ce9473b69a730f5cdf6ca10dce0145d79ec56a

SHA256
a6d302b283231df54aa580ca9b1c62a4cba4c4a8779ff32a6be3a9478c872b34

SHA512
3bde33e0f03f4c61aab7faffce24509a8131ed05f8f3be06b4557238d8ec683877fe18e65129f4bc61a2977f0c3bf329c0c586660463242bd543e0125675eef0

Download Submit
memory/3616-6-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/3616-9-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/5072-0-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/5072-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/5072-8-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download