5fa6221c2708a045822d3b2c47510ece0fece535d7da395817b0cb89b0aedd7d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ccdfc518d1d0520690bb72a80d8105f5f20310fdabb40c0c8b5323b29302c7e.exe
Size

1.9MB
MD5

26b9d7d30ae43742478a8ef2763b4e49
SHA1

f9b2dc7b05efc3d876b3d8862edbfd3a19e1404e
SHA256

9ccdfc518d1d0520690bb72a80d8105f5f20310fdabb40c0c8b5323b29302c7e
SHA512

76922a88e3dd48615248a3b6edaf1034a6c70f9611562f7216ccbf40e948b2421acf4c5d884d7be21165c8752b3bf9e3f7928bda2bf614df6a62cc0a1abb6db2
SSDEEP

24576:N2oo60HPdt+1CRiY2eOBvcj3u10d5AKkyZL6t8X8El8db0drok5rtbOt6Zfe/7x/:Qoa1taC070dGCLFWb0x9tKQ+dsRGTd0k

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1868	B391.tmp

Executes dropped EXE 1 IoCs

pid	Process
1868	B391.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ccdfc518d1d0520690bb72a80d8105f5f20310fdabb40c0c8b5323b29302c7e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B391.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 1868	4572	9ccdfc518d1d0520690bb72a80d8105f5f20310fdabb40c0c8b5323b29302c7e.exe	86
PID 4572 wrote to memory of 1868	4572	9ccdfc518d1d0520690bb72a80d8105f5f20310fdabb40c0c8b5323b29302c7e.exe	86
PID 4572 wrote to memory of 1868	4572	9ccdfc518d1d0520690bb72a80d8105f5f20310fdabb40c0c8b5323b29302c7e.exe	86

C:\Users\Admin\AppData\Local\Temp\9ccdfc518d1d0520690bb72a80d8105f5f20310fdabb40c0c8b5323b29302c7e.exe
"C:\Users\Admin\AppData\Local\Temp\9ccdfc518d1d0520690bb72a80d8105f5f20310fdabb40c0c8b5323b29302c7e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Users\Admin\AppData\Local\Temp\B391.tmp
  "C:\Users\Admin\AppData\Local\Temp\B391.tmp" --splashC:\Users\Admin\AppData\Local\Temp\9ccdfc518d1d0520690bb72a80d8105f5f20310fdabb40c0c8b5323b29302c7e.exe C8CBD6C36CF4369A48D651B5C980118F2C4F68945CCE45377E99C2A9C9F8AE3A2110FC1F43343A0B95A64DAB05E02F2D8D2B61D4FC3AE23C13F54D628506E329
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B391.tmp

Filesize
1.9MB

MD5
7f1e6b3dda0782158de2da39b0f5271f

SHA1
667c809ef6aa6d0b36c628b23f6793450b971db3

SHA256
231ec73d6f8596606252f042f51808c8f53eda747f1887013b74c3f65447114d

SHA512
38ad3b8d59c30317dacf8132da0f5b01513c534f9585da64ec7608c1afdf684a3f03486d8f96e117ad4e29389b6956670c596767e24738e6f5941686b7b2493b

Download Submit
memory/1868-5-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/4572-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download