b572b5796a4d51d7f132d3a2e44ce55bc29829de76a7640d99ec098b3f8aff25

Resubmissions

02-09-2024 10:22

240902-mebp5aygke 3

02-09-2024 10:07

240902-l5mdwayeqg 6

Analysis

max time kernel
49s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-09-2024 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Touhou PC98 Collection/GAMES/th03j.bat
Size

102B
MD5

6d2d72ce7cc2f0a43548010befaf0dae
SHA1

409a21eae5b43eb13100206ba0ba01ef1a2a1b24
SHA256

45f00453cbd8e8921102bb6be8901e6dc7b643ac7f176c53e42010dbe0b9c0da
SHA512

99fcb378ff7f35a6fac4554ff20cba68b348edde8308bb4b85686eb28a3880cd4fa4fc1475a48183c1e197283850b74d4e32b7190450ea4a757617b5b3eed2ed

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	np21nt.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2300	np21nt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2300	np21nt.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2300	np21nt.exe
2300	np21nt.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2300	2128	cmd.exe	31
PID 2128 wrote to memory of 2300	2128	cmd.exe	31
PID 2128 wrote to memory of 2300	2128	cmd.exe	31
PID 2128 wrote to memory of 2300	2128	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Touhou PC98 Collection\GAMES\th03j.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\Touhou PC98 Collection\GAMES\np21nt.exe
  np21nt.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Touhou PC98 Collection\GAMES\np21nt.ini

Filesize
2KB

MD5
d8d0e59f9e8673c5cfc8183ff801645f

SHA1
2419c8e7ee5377075dc73a19460f18fed2fa0311

SHA256
6cb26413efcfa94822e2c8d091c32bb4aa9dbb416e08f078fb8e0745943e49eb

SHA512
c074687a4472bd90aecdc584679bae6cee84b16417a5ad3b9d6208bbff030605e660c40bd749ed5ac221ea256b129efb6743fc4d371e9e23de9b54efe0f0bd24

Download Submit
memory/2300-14-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/2300-25-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/2300-9-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/2300-16-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/2300-15-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/2300-20-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/2300-13-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/2300-12-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/2300-11-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/2300-7-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/2300-17-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/2300-18-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/2300-10-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/2300-5-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/2300-4-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/2300-3-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/2300-6-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/2300-19-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/2300-21-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/2300-22-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/2300-23-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/2300-24-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/2300-8-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download