026b47260fb5c1f2103e6e884b2c4d3c84a00143a03bc5254dc168e044e5e9ca

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 03:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

075b0f73a87fa5f2c26744e28021ae1b2b919d1706d387be27b638b8bcd4260f.exe
Size

3.1MB
MD5

016b10e65fe6694d9232959cdd948243
SHA1

0e30c45f0ec7074fda3b85529416f5f7455b85aa
SHA256

075b0f73a87fa5f2c26744e28021ae1b2b919d1706d387be27b638b8bcd4260f
SHA512

790e7c4440e792e20fa5a632247bd12424e8afb48b7fdf4fb5ac28e6fb808bc6c167cb174183d647cdf44bdd2f80df69d775bb0b0302c43e45363962dfca064d
SSDEEP

49152:Fvm22OdWOXqrbIyUJGF/x4TPWG4kqKYwLVT5kUvgJSgHT6ojkxFbxLWC3F:5mSWOiIyUY/4ckxzVLUjH5oxFbxx

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2608	A940.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	075b0f73a87fa5f2c26744e28021ae1b2b919d1706d387be27b638b8bcd4260f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A940.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 2608	5056	075b0f73a87fa5f2c26744e28021ae1b2b919d1706d387be27b638b8bcd4260f.exe	86
PID 5056 wrote to memory of 2608	5056	075b0f73a87fa5f2c26744e28021ae1b2b919d1706d387be27b638b8bcd4260f.exe	86
PID 5056 wrote to memory of 2608	5056	075b0f73a87fa5f2c26744e28021ae1b2b919d1706d387be27b638b8bcd4260f.exe	86

C:\Users\Admin\AppData\Local\Temp\075b0f73a87fa5f2c26744e28021ae1b2b919d1706d387be27b638b8bcd4260f.exe
"C:\Users\Admin\AppData\Local\Temp\075b0f73a87fa5f2c26744e28021ae1b2b919d1706d387be27b638b8bcd4260f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Users\Admin\AppData\Local\Temp\A940.tmp
  "C:\Users\Admin\AppData\Local\Temp\A940.tmp" --splashC:\Users\Admin\AppData\Local\Temp\075b0f73a87fa5f2c26744e28021ae1b2b919d1706d387be27b638b8bcd4260f.exe F3EADA65386CCF0B2F049554CC129C4BF53C0C6531F2792C45583C9E439E3322A0F1B7005A048EE9F954630D911A7001474E09CDB2F264E7816C54A25E163B82
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A940.tmp

Filesize
3.1MB

MD5
a3e3343321fd5f7b011d575e3c96d8af

SHA1
511d0e9bc35024c1723db62720447956f61551bf

SHA256
da08f4f5a0cf95ebe82a1eb5e13a13fc9a28ee6fe9580f0b406a577ca258088f

SHA512
2039878f91c21c4fc9e411bc6f68da79564ffac42fb859047e1fe00703a2d07efc1714bbd733ce003b57fbe1230167975532b9840e02ae56fb7a2246b164bc89

Download Submit
memory/2608-5-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/5056-0-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download