6ceafffb10750916aa94019bbcd102e345ba8abaea5f49fba482fc115b301bce

Analysis

max time kernel
110s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 10:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aaa59dfe48b6fc9f1e5163089601c800N.exe
Size

1.7MB
MD5

aaa59dfe48b6fc9f1e5163089601c800
SHA1

ddb7864e0e05cbc6820d852bbb1b7ada03c76976
SHA256

6ceafffb10750916aa94019bbcd102e345ba8abaea5f49fba482fc115b301bce
SHA512

ca318225761ef4b5a7604c7ff9b4b93daa59111e3a72abd55c014e7d68da76ed1df083c5af8b7e02845c725d129af6b7c97bb05f5831e40860983a1e83d6cbb7
SSDEEP

24576:i7FUDowAyrTVE3U5FQLVm7BV8TgQaAnrkgJxGXGIoCTnEpGs9t6k7u4:iBuZrEUN7BVOg6rz2XGV0nwGsy4

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2364	aaa59dfe48b6fc9f1e5163089601c800N.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaa59dfe48b6fc9f1e5163089601c800N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaa59dfe48b6fc9f1e5163089601c800N.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2364	2368	aaa59dfe48b6fc9f1e5163089601c800N.exe	84
PID 2368 wrote to memory of 2364	2368	aaa59dfe48b6fc9f1e5163089601c800N.exe	84
PID 2368 wrote to memory of 2364	2368	aaa59dfe48b6fc9f1e5163089601c800N.exe	84

C:\Users\Admin\AppData\Local\Temp\aaa59dfe48b6fc9f1e5163089601c800N.exe
"C:\Users\Admin\AppData\Local\Temp\aaa59dfe48b6fc9f1e5163089601c800N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\is-ILIQE.tmp\aaa59dfe48b6fc9f1e5163089601c800N.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-ILIQE.tmp\aaa59dfe48b6fc9f1e5163089601c800N.tmp" /SL5="$50202,869225,844288,C:\Users\Admin\AppData\Local\Temp\aaa59dfe48b6fc9f1e5163089601c800N.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-ILIQE.tmp\aaa59dfe48b6fc9f1e5163089601c800N.tmp

Filesize
3.0MB

MD5
64af3f7214822ae01d471f7e43a91666

SHA1
2b487cae162e19e3c009fd5baaae0de2100580b8

SHA256
735a4240066308bf351eb4bb70fe7a8cbba2a132ee80df7cb7b62a26b0d4fdbc

SHA512
3caf4aa3915b73c4e756f5853072f15737821e8b3f835000f18aa753f4a3fbc45bcc6c424ce140abf2ff273592833cb56f1d887c9ab81e13ac1a925b1ed736d3

Download Submit
memory/2364-6-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/2364-12-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/2368-0-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2368-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2368-11-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download