639652ab600e1c6fc49d80a0c232de02dca16c40b7a128f5e46eaf53ee96fa3d

Analysis

max time kernel
316s
max time network
887s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
04-09-2024 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Authentication.exe
Size

9KB
MD5

2a161f9805b4088051bf3a954939fdee
SHA1

4a4db6742960b99b7d3ee71a26359091e22ccc4a
SHA256

639652ab600e1c6fc49d80a0c232de02dca16c40b7a128f5e46eaf53ee96fa3d
SHA512

23f3ea7575f78b36d2e91d23e37046b276f4638a78b0a1fc2ca34d84be480a8fb61facc0a401fa2e9d9b0cc61e9b82bf200220c142a70cfe0734228e55d44088
SSDEEP

192:P4ljbia4jepy0b8AkZId5ze+WrRpVggDZLD:gfiGsdACIbSrLVbZL

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Authentication.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Authentication.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2132	NOTEPAD.EXE
4644	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4540	Authentication.exe
Token: SeDebugPrivilege	4984	Authentication.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 4080	4540	Authentication.exe	74
PID 4540 wrote to memory of 4080	4540	Authentication.exe	74
PID 4540 wrote to memory of 4080	4540	Authentication.exe	74
PID 4984 wrote to memory of 4104	4984	Authentication.exe	85
PID 4984 wrote to memory of 4104	4984	Authentication.exe	85
PID 4984 wrote to memory of 4104	4984	Authentication.exe	85

C:\Users\Admin\AppData\Local\Temp\Authentication.exe
"C:\Users\Admin\AppData\Local\Temp\Authentication.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Auth.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4080

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Auth.bat" "
1⤵
PID:4124

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Auth.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:2132

C:\Users\Admin\AppData\Local\Temp\Authentication.exe
"C:\Users\Admin\AppData\Local\Temp\Authentication.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Auth.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Auth.bat" "
1⤵
PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Auth.bat" "
1⤵
PID:5032

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Auth.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Authentication.exe.log

Filesize
1KB

MD5
2e47101ef9d3774d30194ed138e20bcf

SHA1
fccf20d0d6ff304f89972282cfdb5fe7cbfcde3a

SHA256
0fa790326bc221fdadc2ae443d9b29d075f74e316b50f44af7dcc0f7578a1174

SHA512
ed35b5e9eb9edd31f3a476c7ec86bcc106f97da6801602b2dd84d52f13d48330cd98965488b12f71d579ad8dd5f8dafab39d7f13c2e77a5c33bbeaa159aa9cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Auth.bat

Filesize
506B

MD5
011c2ddaf5f13e9dc5c3e34714bc3a8d

SHA1
fce6be4850ce52878c32d2d958dc9660e9a0b756

SHA256
8f0521ed2443aa19ed56c3584d2fefb45ffc16f8625cc44a8a43d63952918cb9

SHA512
e13e2a2ea84d0d2419b5f6141142d1a16678f405c537f6c06bcfffaa300e2b0e0d173682796fdc54ebc85c841d0110ae39b5cd247bc45d8a718aa9bc3de24e33

Download Submit
memory/4540-0-0x000000007352E000-0x000000007352F000-memory.dmp

Filesize
4KB

Download
memory/4540-1-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/4540-2-0x0000000073520000-0x0000000073C0E000-memory.dmp

Filesize
6.9MB

Download
memory/4540-6-0x0000000073520000-0x0000000073C0E000-memory.dmp

Filesize
6.9MB

Download