276f6452862905ab58e5f7bbcd2f97dde2d2b271aa6c9d44cf59d98a81d98dd5

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

au.exe
Size

4.1MB
MD5

fb50ca23df24621edbde4e30ce4981d9
SHA1

08c350054db878397361257c96bb17e911e96f9f
SHA256

499fe526f58d8558a8836d1f3f24ea036edc367107f824c8a2745ade54635867
SHA512

a73837e0ae511b9a24ff39d02f91d98704ffeb4c08dde7643c1fa229a37720902225668737f2d500d2cce026a541cb382e89475682030e4608cf6dc4c099ddd7
SSDEEP

98304:q8172C7HzW3x1/u/ZBgdjDAY9B8FFlzHnVG5yyD4:p1BzzqiRBrhzHVG5yD

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2492	au.exe
2492	au.exe
2492	au.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	au.exe

C:\Users\Admin\AppData\Local\Temp\au.exe
"C:\Users\Admin\AppData\Local\Temp\au.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nswB102.tmp\InstallOptions.dll

Filesize
14KB

MD5
0dc0cc7a6d9db685bf05a7e5f3ea4781

SHA1
5d8b6268eeec9d8d904bc9d988a4b588b392213f

SHA256
8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c

SHA512
814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB102.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB102.tmp\ioSpecial.ini

Filesize
700B

MD5
630d3d3b1201e45bb58af400279d4680

SHA1
64b5174769d531277004add21a70728899b45764

SHA256
451a8bbb477a710f7fd3a3a28054252553d30bb881d947ebc3ff8a459018636c

SHA512
8a1bb07cffae326f9591f94486d8b14d8fd565bcb2367f6ffee9077c071a60a5b467d44d0f96324009deff51e6043d44d3dcf344d59130ba190e91d17e39633a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB102.tmp\ioSpecial.ini

Filesize
713B

MD5
b977a13a0fe55ff667aac2170e9b7aaa

SHA1
1edc2f86e044b7ae49da28b81fe023a5def41ffb

SHA256
dcba3626ab067a4e7273dc2ffee72a5f737ae860e13190cf5659aff0c2f709b1

SHA512
d2fd11b72449b902306dcf22b85555fe882cc593cb9393fd1e7354e7f04ab4daa09bc552b15239d6688da355dbde9ff5163eaba97dedd236700105d1a589bd1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB102.tmp\ioSpecial.ini

Filesize
739B

MD5
1f9b9f1a01cb7e52e5d55b61d93631cc

SHA1
635b8522ce16957334abe762b3aa5a37c80f71ef

SHA256
526900e06d9f3504e51fc6dc204b3ef5452b9bacb708a5d5116caff743996431

SHA512
8a9d333c6b7afeed7805dfcebfe1abdb051563448c398a33bdb03acb9ecf8c81881eeb81911c40bbc95f7e44c6b1e1f8f6ceb0b4a1e3d2e1a090b769fa6d9a5d

Download Submit