3c9e2c1137438d3d9e56025227868aee1f6208cf58dc85ef9ce5832992d38e41

Analysis

max time kernel
94s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49e8a2da67b4008ab4734979df63ec0c7e819da007f1b8527c0f2a58c6a75c68.exe
Size

1.9MB
MD5

2c41e506ef975e34fb0b0e9bb1135c72
SHA1

b46722c10eaad3e56394f98b611cc2a79b66f2de
SHA256

49e8a2da67b4008ab4734979df63ec0c7e819da007f1b8527c0f2a58c6a75c68
SHA512

8e9924e18b885945c9082b9fc2342d2e87da6341483b6c3de5c7ccbf799b40140edd332f2dbf2aa996a8c7b43c0246fa6d6898263bffdc00794195d240bbef62
SSDEEP

24576:N2oo60HPdt+1CRiY2eOBvcj3u10dnX+qgen94+mEj0GxnXZfjuD9hkkK4z1jsxQh:Qoa1taC070dndgea+Kgp6JrK4z1js4UK

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2384	785C.tmp

Executes dropped EXE 1 IoCs

pid	Process
2384	785C.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49e8a2da67b4008ab4734979df63ec0c7e819da007f1b8527c0f2a58c6a75c68.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	785C.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 2384	4484	49e8a2da67b4008ab4734979df63ec0c7e819da007f1b8527c0f2a58c6a75c68.exe	86
PID 4484 wrote to memory of 2384	4484	49e8a2da67b4008ab4734979df63ec0c7e819da007f1b8527c0f2a58c6a75c68.exe	86
PID 4484 wrote to memory of 2384	4484	49e8a2da67b4008ab4734979df63ec0c7e819da007f1b8527c0f2a58c6a75c68.exe	86

C:\Users\Admin\AppData\Local\Temp\49e8a2da67b4008ab4734979df63ec0c7e819da007f1b8527c0f2a58c6a75c68.exe
"C:\Users\Admin\AppData\Local\Temp\49e8a2da67b4008ab4734979df63ec0c7e819da007f1b8527c0f2a58c6a75c68.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Users\Admin\AppData\Local\Temp\785C.tmp
  "C:\Users\Admin\AppData\Local\Temp\785C.tmp" --splashC:\Users\Admin\AppData\Local\Temp\49e8a2da67b4008ab4734979df63ec0c7e819da007f1b8527c0f2a58c6a75c68.exe FEF133F8129990D48ABFAB2705CDDB9358A40A2957D795C2560452746A0E289D070D314041C241C1277ED9F7A2A44614D2454C1F401BD6567593EFA08100EAA7
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\785C.tmp

Filesize
1.9MB

MD5
be40c7b1ab9f2e8c77e3c540348b649f

SHA1
345c5184c780b7fed00ba199e2cb20bbd4938cb5

SHA256
c7f8cf7a84cc0a3b92fdf197b7e864803a37e3c92d84dcc562ea7fcc4f85764c

SHA512
56fa692420fc4adc2323712866a88f157f0473c2eb175bef502dace9860d545824c2dce3604123e6d8180469a8ece98469b028d7e36610a96ad969b74ec833c7

Download Submit
memory/2384-5-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/4484-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download