ee6c0617ab8a4602e3c5ca07dc20e507a0389dc7fedd80ac50f175694ef89234

Analysis

max time kernel
93s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ec631c65feb21cafba5d2e934c90530N.exe
Size

6.0MB
MD5

2ec631c65feb21cafba5d2e934c90530
SHA1

aa322315981ad5bf4780ef819ba4cafac2d7ee9c
SHA256

ee6c0617ab8a4602e3c5ca07dc20e507a0389dc7fedd80ac50f175694ef89234
SHA512

5cb71e9a7ced3a841ffdf3af65e40303a6d8289cd662ed8601820e03bc06e20e84127acb6f5e2dae11f31893db2468f01c0339a8edd3d644c0fccd3d9432959f
SSDEEP

98304:emhd1UryeSIjsdq4Um2xPSwtGV7wQqZUha5jtSyZIUS:elyIsk4Um2VZtG2QbaZtlir

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3852	9328.tmp

Executes dropped EXE 1 IoCs

pid	Process
3852	9328.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ec631c65feb21cafba5d2e934c90530N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9328.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 3852	3300	2ec631c65feb21cafba5d2e934c90530N.exe	86
PID 3300 wrote to memory of 3852	3300	2ec631c65feb21cafba5d2e934c90530N.exe	86
PID 3300 wrote to memory of 3852	3300	2ec631c65feb21cafba5d2e934c90530N.exe	86

C:\Users\Admin\AppData\Local\Temp\2ec631c65feb21cafba5d2e934c90530N.exe
"C:\Users\Admin\AppData\Local\Temp\2ec631c65feb21cafba5d2e934c90530N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Users\Admin\AppData\Local\Temp\9328.tmp
  "C:\Users\Admin\AppData\Local\Temp\9328.tmp" --splashC:\Users\Admin\AppData\Local\Temp\2ec631c65feb21cafba5d2e934c90530N.exe 6C36942E83231B7079874ADBFAB9E6919782299ADB06485F1549F117B768B5B0F57C2F521CBF0B60A6E3514D771AFEB28E71EEC07558F8F8E1DD9FAAE4D499F8
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9328.tmp

Filesize
6.0MB

MD5
4cf35ec08180bce9cb11bdbda8bbde9a

SHA1
ddbe1005d3d6dce5276f38693611c142b968ad07

SHA256
1abf4ff91323869d6cd1b6c9549b5c14997d9388509bf81277e619b49885f117

SHA512
f41d76bd1803cd01bffad2fcf6cc15c38a03833e29a697d7582c01268b113e77a2977b9360dce43dbffce8f6af540e935efa4a57b342b976d730540f2ab84f56

Download Submit
memory/3300-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/3852-5-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download