d20170c91802fa9efc49880d30309a00e45b3acbbba2fd037edb9b1a624a4f35

Analysis

max time kernel
125s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 19:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f59a7c194fad4fd4964ff4b87814067899a0d1dcbdfae408937d20379177ad6f.exe
Size

1.9MB
MD5

4ef85ec6348d9788bb38dc3c68f5716e
SHA1

153438647c9e28155935fb322d775dd14ed0419d
SHA256

f59a7c194fad4fd4964ff4b87814067899a0d1dcbdfae408937d20379177ad6f
SHA512

cb9dc567ea42d0e20ea90c0b0284509924fb68ee02ed4f9950ae861b87755c287b7a233fede6a9a26475076528c87c51a0b738d8a060298d82a8dff0a6272017
SSDEEP

49152:Qoa1taC070dizl8ZPf3dvmOg6HHW4NJQWM59Sq:Qoa1taC09x8tf3RmOH24NJWB

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1144	65BA.tmp

Executes dropped EXE 1 IoCs

pid	Process
1144	65BA.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f59a7c194fad4fd4964ff4b87814067899a0d1dcbdfae408937d20379177ad6f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65BA.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 1144	2196	f59a7c194fad4fd4964ff4b87814067899a0d1dcbdfae408937d20379177ad6f.exe	93
PID 2196 wrote to memory of 1144	2196	f59a7c194fad4fd4964ff4b87814067899a0d1dcbdfae408937d20379177ad6f.exe	93
PID 2196 wrote to memory of 1144	2196	f59a7c194fad4fd4964ff4b87814067899a0d1dcbdfae408937d20379177ad6f.exe	93

C:\Users\Admin\AppData\Local\Temp\f59a7c194fad4fd4964ff4b87814067899a0d1dcbdfae408937d20379177ad6f.exe
"C:\Users\Admin\AppData\Local\Temp\f59a7c194fad4fd4964ff4b87814067899a0d1dcbdfae408937d20379177ad6f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\65BA.tmp
  "C:\Users\Admin\AppData\Local\Temp\65BA.tmp" --splashC:\Users\Admin\AppData\Local\Temp\f59a7c194fad4fd4964ff4b87814067899a0d1dcbdfae408937d20379177ad6f.exe D9E732AEEC32FEBBADC7D57E98DF16264D04FBD8CD5DE83F3C15DB663C533231036C6EE6F1AD0EFCB61615C1AE58355734B323F9CDB05D8E00422813AFDC2A6B
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3924,i,3861745594156495651,17595114179815238301,262144 --variations-seed-version --mojo-platform-channel-handle=2508 /prefetch:8
1⤵
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\65BA.tmp

Filesize
1.9MB

MD5
ec49272bf3d9781363aed35c2655e079

SHA1
46ac6dc5f27beb2d03bc3d8d6289efefd650c5ae

SHA256
947aa7e3d039017ec7c7f987d95d534434570770329be380261edefcaa15f35c

SHA512
31b0d98992603dcab002169b262a94f9d0cc0d014c610879424c080bf4962ef76bfc9d673074fe29b28fa3e7ee6b25c6c073d961f5a208d1fc474788c059f71c

Download Submit
memory/1144-5-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/2196-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download