8d6a6b43d1bc5cb67cb8cf70ea54b40d7dbe955b7eae973953467a7601f3de4c

Analysis

max time kernel
119s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f391d207ea95bb4439938a97d5751b30N.exe
Size

30KB
MD5

f391d207ea95bb4439938a97d5751b30
SHA1

1bf2808d35e729723ab4986f00a7514cd242cf08
SHA256

8d6a6b43d1bc5cb67cb8cf70ea54b40d7dbe955b7eae973953467a7601f3de4c
SHA512

e2f35924ad74b87e62406a9b374bc669684dc9c55ad521b64abb744ef9fff477f886a8bbff5545419fcf56e6f32f58eccc66a76144874a505f5fe1641446549a
SSDEEP

384:v/4LNJY74JwOllSBQmrb0i5PrmqHIKpa54b5f0iws0wGXeAc0q:v/qSamrxDmqoKM4Z0iwtwAK0q

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4656	2024090914.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f391d207ea95bb4439938a97d5751b30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024090914.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
432	f391d207ea95bb4439938a97d5751b30N.exe
4656	2024090914.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 4656	432	f391d207ea95bb4439938a97d5751b30N.exe	83
PID 432 wrote to memory of 4656	432	f391d207ea95bb4439938a97d5751b30N.exe	83
PID 432 wrote to memory of 4656	432	f391d207ea95bb4439938a97d5751b30N.exe	83
PID 432 wrote to memory of 4920	432	f391d207ea95bb4439938a97d5751b30N.exe	85
PID 432 wrote to memory of 4920	432	f391d207ea95bb4439938a97d5751b30N.exe	85
PID 432 wrote to memory of 4920	432	f391d207ea95bb4439938a97d5751b30N.exe	85

C:\Users\Admin\AppData\Local\Temp\f391d207ea95bb4439938a97d5751b30N.exe
"C:\Users\Admin\AppData\Local\Temp\f391d207ea95bb4439938a97d5751b30N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:432
- C:\Users\Admin\AppData\Local\Temp\2024090914.exe
  C:\Users\Admin\AppData\Local\Temp\2024090914.exe down
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\del.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024090914.exe

Filesize
30KB

MD5
7722fb25dce12b057a49df70e648c404

SHA1
8c5340c5e9c4f281c31e9dca792afa5e09139fb4

SHA256
18e82426cd284fff2c10b1deaa263501ecb30443a7589e7072bdaf64518ed54f

SHA512
53b56aaaf7ab41d6378437afc017dd4ab142d8f29c73a6f00443da34b85f6f6ede042e1efbd39063733598d8af9926b157d86ef3aaf46511ed07450ef5d20712

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.bat

Filesize
174B

MD5
d143105d96d8ce2aa04007d06da9c86a

SHA1
70e8441d89f1f3c8a7c8324f671ce5fb897dd539

SHA256
7f2e23ca1401cc862de2f269eeaab28c14228e01f9f616acebd002ccc983b914

SHA512
bba2d0c7d6e1fecf9544f3881aa485b1008347e5a492b08b0e72aece2e36a68e1d9f12b251e4758eed20f5b2cb0fa826a2c6d4f7e4c5d1d21097ac8989c1242c

Download Submit
memory/4656-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download