1225b77ccd2c1479b52f0ba03fee7b6a07cc7dd12660f62a369a156a31f10946

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7d1fc2e7181c835679f6743e884b210N.exe
Size

3.5MB
MD5

d7d1fc2e7181c835679f6743e884b210
SHA1

c9866d544b7042dc4bc795e5afe03ec54b4fb1eb
SHA256

1225b77ccd2c1479b52f0ba03fee7b6a07cc7dd12660f62a369a156a31f10946
SHA512

7fa22d51d3721826ea7185eb6423804239260d6b223cc668196983fee104e1c29127e561492f9f380102cc0bae58309b6c0649e9546071831ca53fe00fff3484
SSDEEP

49152:xaOLqZMLAxmB/Tv8lOzR7tQ0A5QGImYfujUkiVWEVPbhbIrs3xehOfqaJM2eH7bB:AOEMLA8bnGfjel4sB9fqUwJpVjwBE+nI

Score

6^/10

defense_evasion discovery

Malware Config

Signatures

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Executes dropped EXE 1 IoCs

pid	Process
5032	d7d1fc2e7181c835679f6743e884b210N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7d1fc2e7181c835679f6743e884b210N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7d1fc2e7181c835679f6743e884b210N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 5032	1240	d7d1fc2e7181c835679f6743e884b210N.exe	84
PID 1240 wrote to memory of 5032	1240	d7d1fc2e7181c835679f6743e884b210N.exe	84
PID 1240 wrote to memory of 5032	1240	d7d1fc2e7181c835679f6743e884b210N.exe	84
PID 5032 wrote to memory of 3020	5032	d7d1fc2e7181c835679f6743e884b210N.exe	95
PID 5032 wrote to memory of 3020	5032	d7d1fc2e7181c835679f6743e884b210N.exe	95
PID 5032 wrote to memory of 3020	5032	d7d1fc2e7181c835679f6743e884b210N.exe	95

C:\Users\Admin\AppData\Local\Temp\d7d1fc2e7181c835679f6743e884b210N.exe
"C:\Users\Admin\AppData\Local\Temp\d7d1fc2e7181c835679f6743e884b210N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Local\Temp\{45797E98-F557-4FB4-9E46-87BE24A799A2}\d7d1fc2e7181c835679f6743e884b210N.exe
  C:\Users\Admin\AppData\Local\Temp\{45797E98-F557-4FB4-9E46-87BE24A799A2}\d7d1fc2e7181c835679f6743e884b210N.exe /q"C:\Users\Admin\AppData\Local\Temp\d7d1fc2e7181c835679f6743e884b210N.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{45797E98-F557-4FB4-9E46-87BE24A799A2}" /IS_temp
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{45797E98-F557-4FB4-9E46-87BE24A799A2}"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{45797E98-F557-4FB4-9E46-87BE24A799A2}\0x0409.ini

Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{45797E98-F557-4FB4-9E46-87BE24A799A2}\_ISMSIDEL.INI

Filesize
896B

MD5
5368f1cfd99bfbd2329a97c7d51a8cf3

SHA1
e73d74825f8be629a9763ee97a862e43232a0c68

SHA256
2f8501fdb0e4b0bbf3af74836f3dfa682f12b9ede8968c119fa2aede74c8c340

SHA512
60378350573e4eb92a93b557ea2c259bae36272a7f4574504c4b3fb890c062a2c39c5c8069b41ce9807cdb666b452967df7cd106e178029a35fcc4e2659490a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{45797E98-F557-4FB4-9E46-87BE24A799A2}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{45797E98-F557-4FB4-9E46-87BE24A799A2}\d7d1fc2e7181c835679f6743e884b210N.exe

Filesize
3.5MB

MD5
d7d1fc2e7181c835679f6743e884b210

SHA1
c9866d544b7042dc4bc795e5afe03ec54b4fb1eb

SHA256
1225b77ccd2c1479b52f0ba03fee7b6a07cc7dd12660f62a369a156a31f10946

SHA512
7fa22d51d3721826ea7185eb6423804239260d6b223cc668196983fee104e1c29127e561492f9f380102cc0bae58309b6c0649e9546071831ca53fe00fff3484

Download Submit
C:\Users\Admin\AppData\Local\Temp\~858D.tmp

Filesize
5KB

MD5
36353e59e20ea55c00e23d620d756183

SHA1
f060f69ef640ff01cc9c0a41d589e8c1775d1c80

SHA256
57c9362b54b8cfc79332d33ec3c8e0fbb8df7709435de6ae63667dd094c82a0b

SHA512
d31938a11574c1059040a7f878e7254b6ced7095bceb1cf56d29f3c7118bcf805459a284d25e3051f2fd56a48124064292377106beb02420ba24d0e523298ca0

Download Submit