Analysis
-
max time kernel
137s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2024 07:46
Static task
static1
Behavioral task
behavioral1
Sample
159b90dddcf3e0e852c043e1d1e959d359f45c8413a00c6431450702e07d444c.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
159b90dddcf3e0e852c043e1d1e959d359f45c8413a00c6431450702e07d444c.exe
Resource
win10v2004-20240802-en
General
-
Target
159b90dddcf3e0e852c043e1d1e959d359f45c8413a00c6431450702e07d444c.exe
-
Size
6.1MB
-
MD5
290309683edda0fd4ad586d2cf1b0e48
-
SHA1
4e686ccb2191bec5641a3621370289b870836af9
-
SHA256
159b90dddcf3e0e852c043e1d1e959d359f45c8413a00c6431450702e07d444c
-
SHA512
5a52fdada62debce366f099e75c87eb7ae0e2a7074d01ea00ee1d55858005591de92ca5a3cf978765749a8f9bc99aaf753cb4109b8ff0ea88f423fd363b5638d
-
SSDEEP
98304:+t+ww48YTRGrjsYrXa1PSELk/GEAUfZ82ub8GRprbGJ1y1xWcdGWLpDi5PdjDJiN:+xaELkaUfdOMeXdVlG5Fp+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1840 159b90LQvtoQ.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 159b90dddcf3e0e852c043e1d1e959d359f45c8413a00c6431450702e07d444c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 159b90LQvtoQ.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1840 159b90LQvtoQ.exe 1840 159b90LQvtoQ.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 5728 159b90dddcf3e0e852c043e1d1e959d359f45c8413a00c6431450702e07d444c.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5728 wrote to memory of 1840 5728 159b90dddcf3e0e852c043e1d1e959d359f45c8413a00c6431450702e07d444c.exe 94 PID 5728 wrote to memory of 1840 5728 159b90dddcf3e0e852c043e1d1e959d359f45c8413a00c6431450702e07d444c.exe 94 PID 5728 wrote to memory of 1840 5728 159b90dddcf3e0e852c043e1d1e959d359f45c8413a00c6431450702e07d444c.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\159b90dddcf3e0e852c043e1d1e959d359f45c8413a00c6431450702e07d444c.exe"C:\Users\Admin\AppData\Local\Temp\159b90dddcf3e0e852c043e1d1e959d359f45c8413a00c6431450702e07d444c.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5728 -
C:\Users\Admin\AppData\Local\Temp\159b90LQvtoQ.exe"159b90LQvtoQ.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4768,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=948 /prefetch:81⤵PID:3120
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.1MB
MD53202735304c30eaaae74065560f2adbf
SHA1f1a2012a2282ff3824261652b1633cc1a3fd811e
SHA2566da967e94ec186a1b6c6acdfbb08c432af6a2f6779ba61c92ec25b8ce7cb9b7c
SHA512b2e1a5c5d37c0382956e6815efdcd8a97a9c836b45c5f8fef455f963258ec193327f58595c2c5e887d444066b4e75734002af3c489028b060abcbffeab4dc9d2
-
Filesize
18B
MD50b8f565b4c51ed42911387644156f501
SHA125d4a59857464796396869432f2fc3e696ab8f4a
SHA2563632b1152801fa0b7bf522ddf6ece89c193881ebbfe76e8cb8666508bfb99f49
SHA51217c82abe9e7410ed7111cf12930c01bd86af096f1292c6e9fb10930ce94e582702725dc14768b4975b94fe12106642c64c6300c8400b146538e2c71dce826011