0e7aee730699d727ef9ef73ff89af692f4f85fa4dcb1c0d784579c139adad9a9

Analysis

max time kernel
95s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 08:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

49862af39581de5f81b117c185c66887834df4b2c27842066c07b257eec573c9.exe
Size

1.9MB
MD5

19fec20736537664662bf92a26848c55
SHA1

af2b1fa140c0f50e7caaac34124ef8426157d323
SHA256

49862af39581de5f81b117c185c66887834df4b2c27842066c07b257eec573c9
SHA512

2c493ac9394eb665512803bf969146f3c187c9a536af8cb7c38bfbb2e1b77de39fe299906d440be5d43c3973764c46147bd217b2ca2e76ff2066c2283ca6eddf
SSDEEP

49152:Qoa1taC070diKSXbXW6oVNjkVNwUhOv0aAlGTkM:Qoa1taC0icbQjk35SAlGTkM

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2176	BCE7.tmp

Executes dropped EXE 1 IoCs

pid	Process
2176	BCE7.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49862af39581de5f81b117c185c66887834df4b2c27842066c07b257eec573c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCE7.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 2176	5000	49862af39581de5f81b117c185c66887834df4b2c27842066c07b257eec573c9.exe	86
PID 5000 wrote to memory of 2176	5000	49862af39581de5f81b117c185c66887834df4b2c27842066c07b257eec573c9.exe	86
PID 5000 wrote to memory of 2176	5000	49862af39581de5f81b117c185c66887834df4b2c27842066c07b257eec573c9.exe	86

C:\Users\Admin\AppData\Local\Temp\49862af39581de5f81b117c185c66887834df4b2c27842066c07b257eec573c9.exe
"C:\Users\Admin\AppData\Local\Temp\49862af39581de5f81b117c185c66887834df4b2c27842066c07b257eec573c9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Users\Admin\AppData\Local\Temp\BCE7.tmp
  "C:\Users\Admin\AppData\Local\Temp\BCE7.tmp" --splashC:\Users\Admin\AppData\Local\Temp\49862af39581de5f81b117c185c66887834df4b2c27842066c07b257eec573c9.exe BC6F2FE70807F16935630EC95BC90CE1F8E74656C975CD43F2E3B8CF687A2ADEC4725FAB6360783ABA8424873B519DF1A9197C5ABEFAE2B78050ED3A0E65BE97
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BCE7.tmp

Filesize
1.9MB

MD5
1dcaed4be3293f516f6d53d3d311716a

SHA1
f76dd057a74245db3aab0536699af39239a85014

SHA256
246b41f9aac1eb3e75f9f11568bd22e172cae7e3a3cb0e634ee8e7ec3f023b3a

SHA512
ae0715ec16b3b2427f25ceb5d4d111ec7dcbd9e936ef0dfb1d6abb5412614dd24727ca1c156187130e46561b2166d29dfe5d2a740e742be0b330db8ea6144ff6

Download Submit
memory/2176-5-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/5000-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download