b572b5796a4d51d7f132d3a2e44ce55bc29829de76a7640d99ec098b3f8aff25

Resubmissions

02/09/2024, 10:22

240902-mebp5aygke 3

02/09/2024, 10:07

240902-l5mdwayeqg 6

Analysis

max time kernel
92s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Touhou PC98 Collection/GAMES/th02e.bat
Size

102B
MD5

0a479419e73d437c03cda1ddeda14b19
SHA1

f9e232a743c0e6fc68e0a7e6a7c26047412579e4
SHA256

7152b811b52143cbc3e7eb1374193610b16cae357cbb140265b16b08279654c0
SHA512

01ecb4836c23eeff2861b3cc94cf8eb3554e3ab6cc805e10172ee8f6ae0bf973009c233a9f11c62d8f6063a4dead04dfc585a0bb1eb847574385462a4f8b1ce4

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	np21nt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1576	np21nt.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4244	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4244	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1576	np21nt.exe
1576	np21nt.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 1576	1416	cmd.exe	86
PID 1416 wrote to memory of 1576	1416	cmd.exe	86
PID 1416 wrote to memory of 1576	1416	cmd.exe	86

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Touhou PC98 Collection\GAMES\th02e.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\Local\Temp\Touhou PC98 Collection\GAMES\np21nt.exe
  np21nt.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1576

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x30c 0x2d0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Touhou PC98 Collection\GAMES\np21nt.ini

Filesize
2KB

MD5
6b2972b3d78a45c7d9c8f45c9f1c3a77

SHA1
7928dfc04b2356df98451a03a69939051bfce3cc

SHA256
a10cc3b1c48081fd96295f06956279df8da302e3a4f0c58466859e9e0ca4d435

SHA512
80bd1b35a82ef1d568af377520d70f77d3b74cd1bb43e253b4d5ac2f0a4ae6d8456570f448b59f782f8067cf01bcb94fc36656eb4f65a6214ac3a85d7490fd66

Download Submit