3c276917a800a8c9ad19b82efe50abb88d6105954a5b99f1b1f2f1e6a6b2fb44

Analysis

max time kernel
151s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xfer.Records.Serum.v1.363-TCD.exe
Size

194.4MB
MD5

022bdfff9aae163cdad8a6592d6f875b
SHA1

6e3d3c0d9577f63ad3486301b96da5a078e7998d
SHA256

3c276917a800a8c9ad19b82efe50abb88d6105954a5b99f1b1f2f1e6a6b2fb44
SHA512

9c6fb958f60bcf8d28e1f2162f6126db64756b08b5759838fe9eb175e1132a8bfc7d502100980ba24e32cc9fdab758e33a6b3ec68add092d13d7c4dd7661b727
SSDEEP

3145728:xFouHlx5rcWFlzaNTX8UXQlTQEu1zHZXbob8d4eCHA++JgDSbQ0c0/u/hUVIIng3:xxHP5rhmNB/5obr9AXJkSk00hUmIng44

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4244	Xfer.Records.Serum.v1.363-TCD.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Xfer.Records.Serum.v1.363-TCD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Xfer.Records.Serum.v1.363-TCD.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 4244	3200	Xfer.Records.Serum.v1.363-TCD.exe	87
PID 3200 wrote to memory of 4244	3200	Xfer.Records.Serum.v1.363-TCD.exe	87
PID 3200 wrote to memory of 4244	3200	Xfer.Records.Serum.v1.363-TCD.exe	87

C:\Users\Admin\AppData\Local\Temp\Xfer.Records.Serum.v1.363-TCD.exe
"C:\Users\Admin\AppData\Local\Temp\Xfer.Records.Serum.v1.363-TCD.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Users\Admin\AppData\Local\Temp\is-TA6CT.tmp\Xfer.Records.Serum.v1.363-TCD.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TA6CT.tmp\Xfer.Records.Serum.v1.363-TCD.tmp" /SL5="$C01CE,202736105,792576,C:\Users\Admin\AppData\Local\Temp\Xfer.Records.Serum.v1.363-TCD.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-TA6CT.tmp\Xfer.Records.Serum.v1.363-TCD.tmp

Filesize
3.0MB

MD5
d6767f8e3108c06d646ec46d547c4a43

SHA1
6e951499919cfaa9bc10abb15690398b4474d688

SHA256
d5b52c20cca1be2bff6bc2f7d5c9168082bb9a9c1522cb4a9443174f114b71c7

SHA512
b9ee131c71e877e0bf49e6a09504cef3975889cba2ed2056f54165e113d518264c580d1d20e44b9026f8f28ec9181bee7083c6e055891ef5b47244ec5a1d3961

Download Submit
memory/3200-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3200-0-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3200-8-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4244-6-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/4244-9-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download