42f2af0b128e5b679f333178accdc3481b2c09a9207f11ccf908a231c5cae72e

Analysis

max time kernel
110s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f95bdf4489f05cd4395021f36d59080N.exe
Size

2.9MB
MD5

5f95bdf4489f05cd4395021f36d59080
SHA1

a7ac493eb92d616f8a9be4826434ac13d9596bcc
SHA256

42f2af0b128e5b679f333178accdc3481b2c09a9207f11ccf908a231c5cae72e
SHA512

3e46d2d4b3b2f0d94c661c795e3c427468b83084ecd796679da359ec7ef1b8e6af1aff8b48eb7e413f1c469fde07228ba0ca9c15b09d243cad4630fc4854efd0
SSDEEP

49152:U98k/vjvOjDdLoEhuu/uzvkW+jassB3qV5ewoqbR8pWlFTDDpPbYuukyUaj8mxpc:e8k3jWkzu2nssB3QkwoqbRcWl9tYjjvc

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	5f95bdf4489f05cd4395021f36d59080N.tmp

Executes dropped EXE 1 IoCs

pid	Process
316	5f95bdf4489f05cd4395021f36d59080N.tmp

Loads dropped DLL 2 IoCs

pid	Process
316	5f95bdf4489f05cd4395021f36d59080N.tmp
316	5f95bdf4489f05cd4395021f36d59080N.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f95bdf4489f05cd4395021f36d59080N.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f95bdf4489f05cd4395021f36d59080N.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2212	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 316	2752	5f95bdf4489f05cd4395021f36d59080N.exe	82
PID 2752 wrote to memory of 316	2752	5f95bdf4489f05cd4395021f36d59080N.exe	82
PID 2752 wrote to memory of 316	2752	5f95bdf4489f05cd4395021f36d59080N.exe	82
PID 316 wrote to memory of 2212	316	5f95bdf4489f05cd4395021f36d59080N.tmp	86
PID 316 wrote to memory of 2212	316	5f95bdf4489f05cd4395021f36d59080N.tmp	86
PID 316 wrote to memory of 2212	316	5f95bdf4489f05cd4395021f36d59080N.tmp	86

C:\Users\Admin\AppData\Local\Temp\5f95bdf4489f05cd4395021f36d59080N.exe
"C:\Users\Admin\AppData\Local\Temp\5f95bdf4489f05cd4395021f36d59080N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Users\Admin\AppData\Local\Temp\is-UH01I.tmp\5f95bdf4489f05cd4395021f36d59080N.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-UH01I.tmp\5f95bdf4489f05cd4395021f36d59080N.tmp" /SL5="$70062,2730126,82432,C:\Users\Admin\AppData\Local\Temp\5f95bdf4489f05cd4395021f36d59080N.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im smservice.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-QE4GJ.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UH01I.tmp\5f95bdf4489f05cd4395021f36d59080N.tmp

Filesize
720KB

MD5
edcaf4336373f00c3fb1c3d2fd8b0bf8

SHA1
3ce7c32015c541cada4d6887656eb3bb546df08b

SHA256
63ffe50ed1d08f0ea3fc4d807f60dc64ed5fec676a0ccc76e1d07ff5b5464fe3

SHA512
abbaf020e43588b18313e4484170737136072bf169b4e859121e4d04cf6e30492cf218ffc01b5bb46f6289f535cce49313e17a628eeed2e08b746a891a67e869

Download Submit
memory/316-7-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/316-16-0x0000000003A80000-0x0000000003ABC000-memory.dmp

Filesize
240KB

Download
memory/316-20-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/316-21-0x0000000003A80000-0x0000000003ABC000-memory.dmp

Filesize
240KB

Download
memory/2752-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2752-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2752-19-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download