ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a

General

Target

46cf6b1946429c912fe569ce4b5e8a10.exe
Size

3.9MB
MD5

46cf6b1946429c912fe569ce4b5e8a10
SHA1

d7e0240a1a4d021800ccc9ace9fdb310ffa63052
SHA256

ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a
SHA512

29a1f0c35f6d8beaa3941c120d01b255933edc7b4b7c6f21267ce19d2678ee868ade3e2c1e476704a22acfc0a13b627c755ad474eb960a17cd7725665adeeacf
SSDEEP

98304:sfUbmfIe1hxCTvblT3gbG3WfaWLUMxSZNOWfhL:sfUyzSTBgyGslhL

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

46cf6b1946429c912fe569ce4b5e8a10.exepythonw.exe

pid	Process
1980	46cf6b1946429c912fe569ce4b5e8a10.exe
1976	pythonw.exe

Loads dropped DLL 4 IoCs

Processes:

46cf6b1946429c912fe569ce4b5e8a10.exe46cf6b1946429c912fe569ce4b5e8a10.exepythonw.exe

pid	Process
2136	46cf6b1946429c912fe569ce4b5e8a10.exe
1980	46cf6b1946429c912fe569ce4b5e8a10.exe
1980	46cf6b1946429c912fe569ce4b5e8a10.exe
1976	pythonw.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

46cf6b1946429c912fe569ce4b5e8a10.exe46cf6b1946429c912fe569ce4b5e8a10.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46cf6b1946429c912fe569ce4b5e8a10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46cf6b1946429c912fe569ce4b5e8a10.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

46cf6b1946429c912fe569ce4b5e8a10.exe46cf6b1946429c912fe569ce4b5e8a10.exe

description	pid	Process	procid_target
PID 2136 wrote to memory of 1980	2136	46cf6b1946429c912fe569ce4b5e8a10.exe	28
PID 2136 wrote to memory of 1980	2136	46cf6b1946429c912fe569ce4b5e8a10.exe	28
PID 2136 wrote to memory of 1980	2136	46cf6b1946429c912fe569ce4b5e8a10.exe	28
PID 2136 wrote to memory of 1980	2136	46cf6b1946429c912fe569ce4b5e8a10.exe	28
PID 2136 wrote to memory of 1980	2136	46cf6b1946429c912fe569ce4b5e8a10.exe	28
PID 2136 wrote to memory of 1980	2136	46cf6b1946429c912fe569ce4b5e8a10.exe	28
PID 2136 wrote to memory of 1980	2136	46cf6b1946429c912fe569ce4b5e8a10.exe	28
PID 1980 wrote to memory of 1976	1980	46cf6b1946429c912fe569ce4b5e8a10.exe	31
PID 1980 wrote to memory of 1976	1980	46cf6b1946429c912fe569ce4b5e8a10.exe	31
PID 1980 wrote to memory of 1976	1980	46cf6b1946429c912fe569ce4b5e8a10.exe	31
PID 1980 wrote to memory of 1976	1980	46cf6b1946429c912fe569ce4b5e8a10.exe	31

C:\Users\Admin\AppData\Local\Temp\46cf6b1946429c912fe569ce4b5e8a10.exe
"C:\Users\Admin\AppData\Local\Temp\46cf6b1946429c912fe569ce4b5e8a10.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\Temp\{10E67732-725B-463B-9BFC-8449349E381B}\.cr\46cf6b1946429c912fe569ce4b5e8a10.exe
  "C:\Windows\Temp\{10E67732-725B-463B-9BFC-8449349E381B}\.cr\46cf6b1946429c912fe569ce4b5e8a10.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\46cf6b1946429c912fe569ce4b5e8a10.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\Temp\{E84BCB2E-36D7-41CE-BA83-8C2D40494D08}\.ba\pythonw.exe
    "C:\Windows\Temp\{E84BCB2E-36D7-41CE-BA83-8C2D40494D08}\.ba\pythonw.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\{E84BCB2E-36D7-41CE-BA83-8C2D40494D08}\.ba\pythonw.exe

Filesize
94KB

MD5
9a4cc0d8e7007f7ef20ca585324e0739

SHA1
f3e5a2e477cac4bab85940a2158eed78f2d74441

SHA256
040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92

SHA512
54636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3

Download Submit
\Windows\Temp\{10E67732-725B-463B-9BFC-8449349E381B}\.cr\46cf6b1946429c912fe569ce4b5e8a10.exe

Filesize
3.9MB

MD5
46cf6b1946429c912fe569ce4b5e8a10

SHA1
d7e0240a1a4d021800ccc9ace9fdb310ffa63052

SHA256
ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a

SHA512
29a1f0c35f6d8beaa3941c120d01b255933edc7b4b7c6f21267ce19d2678ee868ade3e2c1e476704a22acfc0a13b627c755ad474eb960a17cd7725665adeeacf

Download Submit
\Windows\Temp\{E84BCB2E-36D7-41CE-BA83-8C2D40494D08}\.ba\Jetsam.dll

Filesize
1.1MB

MD5
75b33115ef399463ee76b3421add1ea1

SHA1
1661b9acf1da0aca0c53fee71e5b2394c7c3320d

SHA256
97b3113d73a62755cd99fac73eadb311d1204e6ec1034a85a585955e202e1132

SHA512
fe86854113de67844fd92904ec8d9468f031ea40bbfd38df79d63ce53bc6e95a0ab5f444b4b85cd9a3c2ac264552366ef7148a8b30a09e8c1b95eb949061ddfc

Download Submit
\Windows\Temp\{E84BCB2E-36D7-41CE-BA83-8C2D40494D08}\.ba\python310.dll

Filesize
4.3MB

MD5
c67e805577c808d1b2e63bcc875a6e0c

SHA1
04405071881e4d7b9dae6a8e4f5cb94a69354ecd

SHA256
c1d822a1cd0d204d782d5d5627875608a5acb2008fbfd2346af4f63243e87a40

SHA512
c17febfe45642bb125b1a80a9e2447b25152ce32034b46d1e8dfa74396e51e3c83fb3f844a3814138b308131292884a104afbc5a2262816bd682d6beca142599

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads