bb7db58c52173bcdea8f5c2c07037559fa83b7922d8e16fe8cb88780444f0fb7

Analysis

max time kernel
94s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51c59d1ab82d5059b3a5b4b0c0f65db0772d64a047e1864a93be10b2f3c6baf7.exe
Size

1.9MB
MD5

6e0c46da73f84e7c2e3cb792004e1838
SHA1

9c7dd862d1a3abe1aef52467d94f7940d476354d
SHA256

51c59d1ab82d5059b3a5b4b0c0f65db0772d64a047e1864a93be10b2f3c6baf7
SHA512

cecab4f90cac8d835e5d3ba44df7e7df3de43afeedd62ffe3ae2504ec3f478fb6659a4683211028088c0c4a58ed9f98e3e17e39fa0d7681753d433188c8ce4d5
SSDEEP

49152:Qoa1taC070dXWsiErULbknCJpE9OZAPjbpmG3sYhm:Qoa1taC07IrU/p4wZA7bpmVem

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4700	D0EC.tmp

Executes dropped EXE 1 IoCs

pid	Process
4700	D0EC.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51c59d1ab82d5059b3a5b4b0c0f65db0772d64a047e1864a93be10b2f3c6baf7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D0EC.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 4700	4440	51c59d1ab82d5059b3a5b4b0c0f65db0772d64a047e1864a93be10b2f3c6baf7.exe	86
PID 4440 wrote to memory of 4700	4440	51c59d1ab82d5059b3a5b4b0c0f65db0772d64a047e1864a93be10b2f3c6baf7.exe	86
PID 4440 wrote to memory of 4700	4440	51c59d1ab82d5059b3a5b4b0c0f65db0772d64a047e1864a93be10b2f3c6baf7.exe	86

C:\Users\Admin\AppData\Local\Temp\51c59d1ab82d5059b3a5b4b0c0f65db0772d64a047e1864a93be10b2f3c6baf7.exe
"C:\Users\Admin\AppData\Local\Temp\51c59d1ab82d5059b3a5b4b0c0f65db0772d64a047e1864a93be10b2f3c6baf7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Users\Admin\AppData\Local\Temp\D0EC.tmp
  "C:\Users\Admin\AppData\Local\Temp\D0EC.tmp" --splashC:\Users\Admin\AppData\Local\Temp\51c59d1ab82d5059b3a5b4b0c0f65db0772d64a047e1864a93be10b2f3c6baf7.exe 895790D61CD6DC438003D177716FB0F5BBCD834C447DFDEAA05428A897941B0E3CDA83B4337A4C642EEBFEAB491E2C53A15C4ED367781C1CBD63EB2AA2AE754B
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D0EC.tmp

Filesize
1.9MB

MD5
cfae3cd502a4d93bd043c080cff1828c

SHA1
1a710eed1814923b9f3bdaaece4b4eb1751522e4

SHA256
9fced7854949b2bb60cd8ed8f977bb12e3d34f890aed53ff5a7b5c2f213eefae

SHA512
060f277550c2ad55c89c3c899f01f2d4ca5fa9b5da30eb083bdfa7067c50da3c5d9c8e48eb9446d89ac57b23242157d4b0f8d65f4eb9d2409f45ad6623e16f65

Download Submit
memory/4440-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/4700-5-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download