d1b6e76e8a2e356aaa6b082916ecdd7ea83da8aa70aeab7896dfe82aea8e1464

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 02:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d78bb78aa89a2712a8c701a69358e0e611f8c476f4e9fa1d89c9620d3efa404b.exe
Size

1.9MB
MD5

9fd7ccb6ed4a0411d14be21e14b366ae
SHA1

ba8b41ae3f08146c11fd18b8144bd87f285d4b14
SHA256

d78bb78aa89a2712a8c701a69358e0e611f8c476f4e9fa1d89c9620d3efa404b
SHA512

c4e7f4f3ba3a8fa92ff5d8556e88ba52a5cb2ff3470738b44162477bb7ea2b0537a5d3f510485a5538edf31c65a5c58cce584b79b4140113c6a2724b7e8d00f2
SSDEEP

49152:Qoa1taC070dIXObb0nvBgoBQ8h51ItsrqS4:Qoa1taC0nObO+8P1IirqB

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4896	88C7.tmp

Executes dropped EXE 1 IoCs

pid	Process
4896	88C7.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d78bb78aa89a2712a8c701a69358e0e611f8c476f4e9fa1d89c9620d3efa404b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88C7.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 4896	4624	d78bb78aa89a2712a8c701a69358e0e611f8c476f4e9fa1d89c9620d3efa404b.exe	86
PID 4624 wrote to memory of 4896	4624	d78bb78aa89a2712a8c701a69358e0e611f8c476f4e9fa1d89c9620d3efa404b.exe	86
PID 4624 wrote to memory of 4896	4624	d78bb78aa89a2712a8c701a69358e0e611f8c476f4e9fa1d89c9620d3efa404b.exe	86

C:\Users\Admin\AppData\Local\Temp\d78bb78aa89a2712a8c701a69358e0e611f8c476f4e9fa1d89c9620d3efa404b.exe
"C:\Users\Admin\AppData\Local\Temp\d78bb78aa89a2712a8c701a69358e0e611f8c476f4e9fa1d89c9620d3efa404b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Users\Admin\AppData\Local\Temp\88C7.tmp
  "C:\Users\Admin\AppData\Local\Temp\88C7.tmp" --splashC:\Users\Admin\AppData\Local\Temp\d78bb78aa89a2712a8c701a69358e0e611f8c476f4e9fa1d89c9620d3efa404b.exe A575150FC4A107B5199CDB9FC497C67716DF14BEFDA80DA1EA8298E4365F2B3DD6A4D58F45F65511A16B03ECF0CD51B8F90C6172D63BF0FD039A9E154BDC7C78
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\88C7.tmp

Filesize
1.9MB

MD5
7fa41d3b06a95d9def9e7e5b533f1aec

SHA1
b02f60d842d6d4e1dcf29981e2d640b9ce1be67b

SHA256
7028ae607f16dc14bab81526a8603dede11236071157f6069ac7210836f040aa

SHA512
3f33057e3ab9bff924350e0c158a52e69d5a488bd81dd095def5f64f3d23bc3768fc155b9a38867a48db366ed4c4c2a96de195cab30491f896f99ea060fba99a

Download Submit
memory/4624-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/4896-5-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download