bc40176a510efbdfdebe4f43144277fbd74bd07de44bd989be6899b4dbeabc92

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec4e3df1d2b0b196450eeb6a46b5d4f0N.exe
Size

4.4MB
MD5

ec4e3df1d2b0b196450eeb6a46b5d4f0
SHA1

b6c08f20b87f1681e81c47ed627ae29112485c9e
SHA256

bc40176a510efbdfdebe4f43144277fbd74bd07de44bd989be6899b4dbeabc92
SHA512

075fe2dfe7d746e88ff290aed6070b603f045f40469983e31df74627b4dcaa49550c0b35f50eefec722dbb82bb6e73de377bfe761cf8d1677995d1acc1135c33
SSDEEP

98304:emhd1UryesDzcMDaJ/IXmHYV7wQqZUha5jtSn:elAzXGRK2QbaZte

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1040	7232.tmp

Executes dropped EXE 1 IoCs

pid	Process
1040	7232.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec4e3df1d2b0b196450eeb6a46b5d4f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7232.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 1040	4004	ec4e3df1d2b0b196450eeb6a46b5d4f0N.exe	86
PID 4004 wrote to memory of 1040	4004	ec4e3df1d2b0b196450eeb6a46b5d4f0N.exe	86
PID 4004 wrote to memory of 1040	4004	ec4e3df1d2b0b196450eeb6a46b5d4f0N.exe	86

C:\Users\Admin\AppData\Local\Temp\ec4e3df1d2b0b196450eeb6a46b5d4f0N.exe
"C:\Users\Admin\AppData\Local\Temp\ec4e3df1d2b0b196450eeb6a46b5d4f0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Users\Admin\AppData\Local\Temp\7232.tmp
  "C:\Users\Admin\AppData\Local\Temp\7232.tmp" --splashC:\Users\Admin\AppData\Local\Temp\ec4e3df1d2b0b196450eeb6a46b5d4f0N.exe 67066AFB02441B2AEF13337DEE469259785D7C9157FF7A6D88549C5268AE15ADC277A4DBBA97B0C967ABFB69B23126AB7BD5B0D479E4B8957FD953B1ACA8F01D
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7232.tmp

Filesize
4.4MB

MD5
8b09a04cc642a5744ac821b7f731713f

SHA1
c2968eccdf0d908f1489451cb4be14c581b17106

SHA256
816f9b4c1caf7e8d40ea781ce4edaa4b54f8c941083a654a59af701e0f86fbb0

SHA512
027684f0cf5eb95cd965781bf630aa9141e11812e8c0351408e9eb0393b93c4e8fc405050658d8a6593f26cbe15b1a2dba2ae840d374ac633a88f099438c58dd

Download Submit
memory/1040-5-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/4004-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download