d078b647f74997353c3083ed716e1d8aeb41c0ff94323593c06ac22c40e4ca96

Analysis

max time kernel
119s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 13:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

12fcbf3221bef564576526842f27f3f0N.exe
Size

30KB
MD5

12fcbf3221bef564576526842f27f3f0
SHA1

9e21a432309559c760f049fe901815d3674869d9
SHA256

d078b647f74997353c3083ed716e1d8aeb41c0ff94323593c06ac22c40e4ca96
SHA512

f8ce2461e129a789940a7c6a62b61d3bd333b0796936d18af5b0f2df8b2079e9c478b872040bf6eaafc9fbab4a9dcac83d6de41668d8ef3590375a833151ea30
SSDEEP

384:v/4LNJY74JwOllSBQmrb0i5PrmqHIKpa54b5f0iws0wGXeAcE:v/qSamrxDmqoKM4Z0iwtwAKE

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1896	2024090113.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024090113.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12fcbf3221bef564576526842f27f3f0N.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
424	12fcbf3221bef564576526842f27f3f0N.exe
1896	2024090113.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 424 wrote to memory of 1896	424	12fcbf3221bef564576526842f27f3f0N.exe	84
PID 424 wrote to memory of 1896	424	12fcbf3221bef564576526842f27f3f0N.exe	84
PID 424 wrote to memory of 1896	424	12fcbf3221bef564576526842f27f3f0N.exe	84
PID 424 wrote to memory of 4448	424	12fcbf3221bef564576526842f27f3f0N.exe	85
PID 424 wrote to memory of 4448	424	12fcbf3221bef564576526842f27f3f0N.exe	85
PID 424 wrote to memory of 4448	424	12fcbf3221bef564576526842f27f3f0N.exe	85

C:\Users\Admin\AppData\Local\Temp\12fcbf3221bef564576526842f27f3f0N.exe
"C:\Users\Admin\AppData\Local\Temp\12fcbf3221bef564576526842f27f3f0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:424
- C:\Users\Admin\AppData\Local\Temp\2024090113.exe
  C:\Users\Admin\AppData\Local\Temp\2024090113.exe down
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\del.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024090113.exe

Filesize
30KB

MD5
1456f948683c158fcefc5a80f7389b2e

SHA1
0dfcc0f5c567ee349025ddc6eb8ddbc65a7f2970

SHA256
e5b9f9ba9648bfbebf1ff692d41ed4e8fc0b3319be3b33119a4670f128245735

SHA512
28a0646de50385145ace591a68645d97de7e5f91f4d344668607663cc7383f73b64fc89b5f102d1b2842b12f1f8314506d55cb5449b379b4bf371f3fe4db7cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.bat

Filesize
174B

MD5
5c8526ffec0be255f1afb47c95134dc5

SHA1
93583ff76764fab9abb3004577d40279379a49ad

SHA256
d87eba086fc7cce1915e254f71c61299ac672c2bbcdde86f3b8eaf405a7b1a91

SHA512
fbf4c63112c01f20dfeecdf2b693ecb3c1e902a74b04cad12267b1a59b9cbc23ae04df2ef7152e0da945bb3f88e5b599e8ebf015b37357a468cf6fb91a4249dc

Download Submit
memory/1896-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download