3f89e36ce77be3151eae0bfd137f7797a591950cf270165b5d5efcdacf4b763f

Analysis

max time kernel
114s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e53b7ee69436ae0d4e4811f36c2c540N.exe
Size

97KB
MD5

1e53b7ee69436ae0d4e4811f36c2c540
SHA1

24887e25edcb4703cd499b3a6f3993a005369208
SHA256

3f89e36ce77be3151eae0bfd137f7797a591950cf270165b5d5efcdacf4b763f
SHA512

81961daa2f54f8863c26b5ea7c5be38945c28fab0cc18c9d03682b6bcb3d419784460f72cae275fc21074429b83ce60e2ef5c5d1cc55555fd9759fb83954fe81
SSDEEP

1536:0MybiksPWaKVqY3k8qD3uFbzzO8C4Y9c+sJUZy/K/s9b84C6:ty+3WaKVGD3uFHC8C4jWiv

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1844	olacweegim.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	checkip.dyndns.org

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e53b7ee69436ae0d4e4811f36c2c540N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	olacweegim.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1844	2156	1e53b7ee69436ae0d4e4811f36c2c540N.exe	84
PID 2156 wrote to memory of 1844	2156	1e53b7ee69436ae0d4e4811f36c2c540N.exe	84
PID 2156 wrote to memory of 1844	2156	1e53b7ee69436ae0d4e4811f36c2c540N.exe	84

C:\Users\Admin\AppData\Local\Temp\1e53b7ee69436ae0d4e4811f36c2c540N.exe
"C:\Users\Admin\AppData\Local\Temp\1e53b7ee69436ae0d4e4811f36c2c540N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\olacweegim.exe
  C:\Users\Admin\AppData\Local\Temp\olacweegim.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\olacweegim.exe

Filesize
97KB

MD5
d74412fea41b06383ded19499d62e355

SHA1
7e99bc22244abad108b2ad82e90dc78cc9156d41

SHA256
3eb6272560ed38cb198f612241205d22a30abb27f8ed34eedd06566068105759

SHA512
0d91ff5f9435c4ab451835393526a863c42347cae0b2ed3c8f3d3e7679b07067b2d8e10b511af62380e1fa9aad4b5eb8a17a3eb7691233a8de8e7d6f6a2f3edd

Download Submit
memory/1844-5-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1844-6-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2156-0-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download