Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04-09-2024 22:45
Static task
static1
Behavioral task
behavioral1
Sample
Authentication.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Authentication.exe
Resource
win10v2004-20240802-en
General
-
Target
Authentication.exe
-
Size
9KB
-
MD5
2a161f9805b4088051bf3a954939fdee
-
SHA1
4a4db6742960b99b7d3ee71a26359091e22ccc4a
-
SHA256
639652ab600e1c6fc49d80a0c232de02dca16c40b7a128f5e46eaf53ee96fa3d
-
SHA512
23f3ea7575f78b36d2e91d23e37046b276f4638a78b0a1fc2ca34d84be480a8fb61facc0a401fa2e9d9b0cc61e9b82bf200220c142a70cfe0734228e55d44088
-
SSDEEP
192:P4ljbia4jepy0b8AkZId5ze+WrRpVggDZLD:gfiGsdACIbSrLVbZL
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Authentication.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1912 Authentication.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1912 wrote to memory of 1364 1912 Authentication.exe 87 PID 1912 wrote to memory of 1364 1912 Authentication.exe 87 PID 1912 wrote to memory of 1364 1912 Authentication.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\Authentication.exe"C:\Users\Admin\AppData\Local\Temp\Authentication.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Auth.bat"2⤵
- System Location Discovery: System Language Discovery
PID:1364
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
506B
MD5011c2ddaf5f13e9dc5c3e34714bc3a8d
SHA1fce6be4850ce52878c32d2d958dc9660e9a0b756
SHA2568f0521ed2443aa19ed56c3584d2fefb45ffc16f8625cc44a8a43d63952918cb9
SHA512e13e2a2ea84d0d2419b5f6141142d1a16678f405c537f6c06bcfffaa300e2b0e0d173682796fdc54ebc85c841d0110ae39b5cd247bc45d8a718aa9bc3de24e33