b572b5796a4d51d7f132d3a2e44ce55bc29829de76a7640d99ec098b3f8aff25

Resubmissions

02-09-2024 10:22

240902-mebp5aygke 3

02-09-2024 10:07

240902-l5mdwayeqg 6

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02-09-2024 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Touhou PC98 Collection/GAMES/th04j.bat
Size

102B
MD5

f5ad3133927fd2cf26118199d2f1cb58
SHA1

61b2eec5aecbd468ca79bcf5f892cff96558a3a4
SHA256

618127615b193f7a87d35498f5c3bdd625b3d3a86659c83c773e53529722059f
SHA512

9e88b56b32c707797f3fd4ba84861f1bf608828ee76780926a46dbaa069561ae9fddac75e0915da947f9b6f9a9860a2defa9d255952d5a1e13434ba3c29ef91b

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	np21nt.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2384	np21nt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2384	np21nt.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2384	np21nt.exe
2384	np21nt.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2384	2096	cmd.exe	32
PID 2096 wrote to memory of 2384	2096	cmd.exe	32
PID 2096 wrote to memory of 2384	2096	cmd.exe	32
PID 2096 wrote to memory of 2384	2096	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Touhou PC98 Collection\GAMES\th04j.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\Touhou PC98 Collection\GAMES\np21nt.exe
  np21nt.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Touhou PC98 Collection\GAMES\np21nt.ini

Filesize
2KB

MD5
344a4947b014b648929c8233eb3b1f62

SHA1
e19d30530303036a34ca3d74b939c3b01dfbad81

SHA256
359b01097b1f00a8dd9b7ff9d220902e10772d7090ca01906c6a29644e7b6239

SHA512
0f49c4b78fedcc4c3fe504a322ee5dda573b75c690b908dc4729728118892b4b3a47eae6126aaa726a9a86bbeb953def61255899731851e98c8e1206760e8dd2

Download Submit
memory/2384-8-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/2384-7-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/2384-6-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/2384-4-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/2384-3-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/2384-5-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/2384-10-0x0000000005090000-0x000000000509A000-memory.dmp

Filesize
40KB

Download
memory/2384-9-0x0000000005090000-0x000000000509A000-memory.dmp

Filesize
40KB

Download
memory/2384-11-0x0000000005090000-0x000000000509A000-memory.dmp

Filesize
40KB

Download
memory/2384-16-0x0000000005580000-0x000000000558A000-memory.dmp

Filesize
40KB

Download
memory/2384-15-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/2384-14-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/2384-13-0x0000000005580000-0x000000000558A000-memory.dmp

Filesize
40KB

Download
memory/2384-12-0x0000000005580000-0x000000000558A000-memory.dmp

Filesize
40KB

Download
memory/2384-17-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/2384-18-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/2384-20-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/2384-19-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/2384-21-0x0000000005090000-0x000000000509A000-memory.dmp

Filesize
40KB

Download
memory/2384-22-0x0000000005580000-0x000000000558A000-memory.dmp

Filesize
40KB

Download
memory/2384-23-0x0000000005580000-0x000000000558A000-memory.dmp

Filesize
40KB

Download