a482b141ccbb13ca7b366d409a8feaa27a120a67f23eb2f8eed5e068ff583489

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a482b141ccbb13ca7b366d409a8feaa27a120a67f23eb2f8eed5e068ff583489.exe
Size

589KB
MD5

5176284ccdb6245cc137f00fe91fb654
SHA1

26df9fc2dd605de3d9934d2425c032420d0c7f2c
SHA256

a482b141ccbb13ca7b366d409a8feaa27a120a67f23eb2f8eed5e068ff583489
SHA512

f15fcc52399f0004e179bf6cd9e7f03a75b744f5af09c67fc1f70e1ca0aa6449536b6e06951431accd0b6037e729f4562380b7e16962fdf6fe115b4e947fd435
SSDEEP

12288:QC3wdew5NKr6XvipKVm8cdZV6UMb+DjFgJco/D691U:QAmewTW6fipKpS2HuFTyDh

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
852	a482b141ccbb13ca7b366d409a8feaa27a120a67f23eb2f8eed5e068ff583489.exe
852	a482b141ccbb13ca7b366d409a8feaa27a120a67f23eb2f8eed5e068ff583489.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
852	a482b141ccbb13ca7b366d409a8feaa27a120a67f23eb2f8eed5e068ff583489.exe
2552	a482b141ccbb13ca7b366d409a8feaa27a120a67f23eb2f8eed5e068ff583489.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 852 set thread context of 2552	852	a482b141ccbb13ca7b366d409a8feaa27a120a67f23eb2f8eed5e068ff583489.exe	94

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Stomachache191.dre	a482b141ccbb13ca7b366d409a8feaa27a120a67f23eb2f8eed5e068ff583489.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a482b141ccbb13ca7b366d409a8feaa27a120a67f23eb2f8eed5e068ff583489.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a482b141ccbb13ca7b366d409a8feaa27a120a67f23eb2f8eed5e068ff583489.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
852	a482b141ccbb13ca7b366d409a8feaa27a120a67f23eb2f8eed5e068ff583489.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 2552	852	a482b141ccbb13ca7b366d409a8feaa27a120a67f23eb2f8eed5e068ff583489.exe	94
PID 852 wrote to memory of 2552	852	a482b141ccbb13ca7b366d409a8feaa27a120a67f23eb2f8eed5e068ff583489.exe	94
PID 852 wrote to memory of 2552	852	a482b141ccbb13ca7b366d409a8feaa27a120a67f23eb2f8eed5e068ff583489.exe	94
PID 852 wrote to memory of 2552	852	a482b141ccbb13ca7b366d409a8feaa27a120a67f23eb2f8eed5e068ff583489.exe	94
PID 852 wrote to memory of 2552	852	a482b141ccbb13ca7b366d409a8feaa27a120a67f23eb2f8eed5e068ff583489.exe	94

C:\Users\Admin\AppData\Local\Temp\a482b141ccbb13ca7b366d409a8feaa27a120a67f23eb2f8eed5e068ff583489.exe
"C:\Users\Admin\AppData\Local\Temp\a482b141ccbb13ca7b366d409a8feaa27a120a67f23eb2f8eed5e068ff583489.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\AppData\Local\Temp\a482b141ccbb13ca7b366d409a8feaa27a120a67f23eb2f8eed5e068ff583489.exe
  "C:\Users\Admin\AppData\Local\Temp\a482b141ccbb13ca7b366d409a8feaa27a120a67f23eb2f8eed5e068ff583489.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsc8C91.tmp

Filesize
61B

MD5
74b3a93cf5d11d11b8dff1d5ec57a81d

SHA1
bc7da5a65649e99c488e6a4c130f1134e80dcf74

SHA256
706dc879eaaeee6ada053cfd98acedee299c07a8dc98f0cc024cc614057c38b6

SHA512
bef3b9fa70eec9ecb57ccc75bb54a5a76e1a0c4a8387823f7c931f091a1157bea4e678e19fcc775a7ee1c43d025d09e8ae4869b4c785dc7f8c4de39cf9bd7d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc8C91.tmp

Filesize
73B

MD5
b80ef50d0f02b0e60035ddab237b744e

SHA1
addac470421ca09efee0c0718d805e1312246086

SHA256
d26183d8122f1a8b4a98c5716a0520bdf9b28b95fa3baac4af25c49d39bd1da9

SHA512
ccf91989bb62dfd85144b5b85528921f2a134515797fbe6be348852bca34e6e7bc27a7d6a17e7ba28b62a8c644581a092a892957c84853cbb29eea8cb6792820

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc8C91.tmp

Filesize
8B

MD5
c3cb69218b85c3260387fb582cb518dd

SHA1
961c892ded09a4cbb5392097bb845ccba65902ad

SHA256
1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101

SHA512
2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc8C91.tmp

Filesize
26B

MD5
bc970bd8ec8acf8ac1ada9e444673a39

SHA1
6c03dfa1c2595129e8e0e2428fceb0f2df7f82a7

SHA256
0092de36b51381e4fe5e613bdbae906f0c6e8691fec4a93f82b876f1af826648

SHA512
c3fc2d8b396b6753759b532bb9e91d015a039476ec2cf8abcd4c6d4d32b9305146752743692486bd4e3984325a7e9c6db0ff4d902c2879993789573f9cdca3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc8C91.tmp

Filesize
33B

MD5
5555876f2521b3ae2424dd9d6ce983aa

SHA1
5dd9296584980764dc0bebb55e721e6f9aacc86b

SHA256
0ca259e86b73dc8d2f375e3860b6bf91b78b3680b5b90c262fdd82432492a77a

SHA512
71992459867bdb629a697d2f1e750390983fd752fe46f3c753eb0671d8e7498850320145b5662c714229cfcad6f0a2fbffac4c5a6ff40c87a90701bfa69763dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc8C91.tmp

Filesize
46B

MD5
46bc3b3f30f2703822d77228cf71c47f

SHA1
880c185810ea2b075648c9d0aac41487c8383059

SHA256
8bf4c616c9a55aafdc1a48ebdb11f8fbea6fb2465aa2f216e4efad6d540a1d99

SHA512
b8dd0e24989ee9acf9eb6b86dfb7f87d1d11f96458981170b7557aa1e26bb995a9ff785c8a98a54327ab12a7868d9c404b221e5f09e401d431dbb0120042946d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8D00.tmp\System.dll

Filesize
11KB

MD5
960a5c48e25cf2bca332e74e11d825c9

SHA1
da35c6816ace5daf4c6c1d57b93b09a82ecdc876

SHA256
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

SHA512
cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8D21.tmp

Filesize
60B

MD5
f1c4e5b72fc4efe877654cca867a121f

SHA1
330803f9b40ddabc744d59b23796dd9bb733a561

SHA256
644ec3403850a1901813dca3a7b4afd8d4759c52f3ff4197f6b1bfd5be225c0c

SHA512
af9f1de9aaf7722e13fa0fa170457c5278f3b9338582c9d89bc28a49ed87fd47fe36d72f39b5d2cff6c2392ea9ef9ed3cebbcedb4c8bad33330e8b387765726e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss8D41.tmp

Filesize
56B

MD5
6d75a8b17369151ec2dde3aad56d7cc9

SHA1
672cf74f9e2fb323819f1a5aced0a737d86d63bf

SHA256
04df164601c8ffa633143980424f49ae49a57f474bc0b893a92ed4c415a50fe2

SHA512
c004317ef13a5fb74d8043ceb49b59d65e601afcc31c060377decdeefc8a6368db03cccd338093647d0c500aa3ed7a3f4f54c11365538386c49da03704e70311

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss8DDE.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx8D10.tmp

Filesize
47B

MD5
a44e5b9b8830beb622f716549767927d

SHA1
78160ea5ffaa4c2e170780a8c18fd36a47724cf7

SHA256
f90559b15f9f45cefd05f0e7b0ec4b7b254a22a2f2cc65eabd6a40ed0c889137

SHA512
ce3a50dc422773b2543260285c7e62617c104c797e4bb4cb16a3d1fc80d18fb6285120e71ba28522061e04c7b89954f5154a490d323ba695493d48a6fd0e43af

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx8D10.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
memory/852-569-0x0000000077B61000-0x0000000077C81000-memory.dmp

Filesize
1.1MB

Download
memory/852-571-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/852-570-0x0000000077B61000-0x0000000077C81000-memory.dmp

Filesize
1.1MB

Download
memory/2552-572-0x0000000077BE8000-0x0000000077BE9000-memory.dmp

Filesize
4KB

Download
memory/2552-573-0x0000000077C05000-0x0000000077C06000-memory.dmp

Filesize
4KB

Download
memory/2552-574-0x0000000077B61000-0x0000000077C81000-memory.dmp

Filesize
1.1MB

Download
memory/2552-575-0x00000000007F0000-0x0000000001A44000-memory.dmp

Filesize
18.3MB

Download