55434abd631b25df8517a7d94b5ce3ea5ba02259b207587435c40f48e93e4dc5

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55434abd631b25df8517a7d94b5ce3ea5ba02259b207587435c40f48e93e4dc5.exe
Size

24KB
MD5

42c91e7efe7ed21f364197bfc226e9b5
SHA1

7672c880b0d706e019718a34925f1864f5f23a9a
SHA256

55434abd631b25df8517a7d94b5ce3ea5ba02259b207587435c40f48e93e4dc5
SHA512

f28e4505279247c13b1d4fc83f0741cf8cd83679a7d2771dec773a285b8845b7bcd9145efda29381b84214c14c0961562e7302de57226bcc0e63db22b8978ae2
SSDEEP

768:0ex2ZFuS3P4OjHXRrs9sINeZEtejlIkoLN127BFVn2p4lAnZ8Oog+fGy:0eqPjXRrs9sINeZEtejlIkoLN127BFVR

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	55434abd631b25df8517a7d94b5ce3ea5ba02259b207587435c40f48e93e4dc5.exe

Executes dropped EXE 1 IoCs

pid	Process
2508	google_updater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55434abd631b25df8517a7d94b5ce3ea5ba02259b207587435c40f48e93e4dc5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	google_updater.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 2508	1532	55434abd631b25df8517a7d94b5ce3ea5ba02259b207587435c40f48e93e4dc5.exe	85
PID 1532 wrote to memory of 2508	1532	55434abd631b25df8517a7d94b5ce3ea5ba02259b207587435c40f48e93e4dc5.exe	85
PID 1532 wrote to memory of 2508	1532	55434abd631b25df8517a7d94b5ce3ea5ba02259b207587435c40f48e93e4dc5.exe	85

C:\Users\Admin\AppData\Local\Temp\55434abd631b25df8517a7d94b5ce3ea5ba02259b207587435c40f48e93e4dc5.exe
"C:\Users\Admin\AppData\Local\Temp\55434abd631b25df8517a7d94b5ce3ea5ba02259b207587435c40f48e93e4dc5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Local\Temp\google_updater.exe
  "C:\Users\Admin\AppData\Local\Temp\google_updater.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\google_updater.exe

Filesize
24KB

MD5
d4d47cd7e2a629851f0716cb925ae8b1

SHA1
36d2136fecfdabd1fef006a054b65475341709bb

SHA256
4c08553f02e7aea739a3f6f5e1c6fcf2b4cbbce521c14bf9b4af7567e3160ae1

SHA512
fd60f0107865e484137a6dcb4ecf081839e5035bca815b74d9b9bebcf93299c9cbaed6030779116db901bed3e042419323ad3fe71616844ed0d27f533cda8839

Download Submit
memory/1532-0-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/2508-12-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download