7265e6143c20a0c565a5ff36fbee23cd74c0b8979472ac6b36bfb4ac08a8813f

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 19:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1883e8de94808ebd9d8d25b0f60e06e0N.exe
Size

5.5MB
MD5

1883e8de94808ebd9d8d25b0f60e06e0
SHA1

4bbc4330abb7261ebe4537590fbe5c443fc26f77
SHA256

7265e6143c20a0c565a5ff36fbee23cd74c0b8979472ac6b36bfb4ac08a8813f
SHA512

004247c4f52b09c944c1ecc5dc3cb8751a8a2d4d40bb13a98c57a1491f9417d8616c940755b1f69639ded414b9a8a93d9226fe84def63d71b3108773be00a0d7
SSDEEP

98304:zFXZp6+Wvl3D1tBpzOUV3m+hVGiqhx0RHbNvR5D1toKOQ5MpIcRnVKN1f:xpLclppiUFm+X1v7lD1tZOBFVK3f

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4956	8E26.tmp

Executes dropped EXE 1 IoCs

pid	Process
4956	8E26.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1883e8de94808ebd9d8d25b0f60e06e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8E26.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 4956	4192	1883e8de94808ebd9d8d25b0f60e06e0N.exe	83
PID 4192 wrote to memory of 4956	4192	1883e8de94808ebd9d8d25b0f60e06e0N.exe	83
PID 4192 wrote to memory of 4956	4192	1883e8de94808ebd9d8d25b0f60e06e0N.exe	83

C:\Users\Admin\AppData\Local\Temp\1883e8de94808ebd9d8d25b0f60e06e0N.exe
"C:\Users\Admin\AppData\Local\Temp\1883e8de94808ebd9d8d25b0f60e06e0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Local\Temp\8E26.tmp
  "C:\Users\Admin\AppData\Local\Temp\8E26.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8E26.tmp

Filesize
5.5MB

MD5
0b14218f6a9314b15bdad287190f7ce8

SHA1
0e5f16913509f61814f4c25095a3bb7c1171a367

SHA256
f945ef8b89e2ee13c49f30dd318738d3d64070b8e21c0e4dc7203324fc959c86

SHA512
79a977b1b0553a8ba123ad2412b6bc582e04973666eb535b716417d62fe45d64d4d9320e7ca9135bbbc296ec3b4360b2cd4d441e771d49c2e51efd4241901120

Download Submit