65de25d4592677bf18d2ca1fda71800b22e2a97d2a8180bb8c910d2e308025f6

Analysis

max time kernel
118s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e62b87ba4ca60a4acd9b0cc026b5c580N.exe
Size

223KB
MD5

e62b87ba4ca60a4acd9b0cc026b5c580
SHA1

32496b168bf717b5c095cff2a0cc5d3fb062cf99
SHA256

65de25d4592677bf18d2ca1fda71800b22e2a97d2a8180bb8c910d2e308025f6
SHA512

48f2fac4eeb43878abc6ba4da91ee71ac967b395a7deb9f6f428bde08d64c752c54f0193933979f0378d54dbd2cc3ba1e349b8443d6b02c1d3b9c0e61295b467
SSDEEP

1536:0QqX1EEpwljTSWebPmgPB6FVqX+O3m/TkmL4oDHTjCWSpAnE5s:A1UpoqQ+ICakHdSpAnA

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1944	svchost.exe

Enumerates connected drives 3 TTPs 34 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\E:	e62b87ba4ca60a4acd9b0cc026b5c580N.exe
File opened (read-only)	\??\K:	e62b87ba4ca60a4acd9b0cc026b5c580N.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\G:	e62b87ba4ca60a4acd9b0cc026b5c580N.exe
File opened (read-only)	\??\U:	e62b87ba4ca60a4acd9b0cc026b5c580N.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\M:	e62b87ba4ca60a4acd9b0cc026b5c580N.exe
File opened (read-only)	\??\N:	e62b87ba4ca60a4acd9b0cc026b5c580N.exe
File opened (read-only)	\??\Q:	e62b87ba4ca60a4acd9b0cc026b5c580N.exe
File opened (read-only)	\??\T:	e62b87ba4ca60a4acd9b0cc026b5c580N.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\J:	e62b87ba4ca60a4acd9b0cc026b5c580N.exe
File opened (read-only)	\??\R:	e62b87ba4ca60a4acd9b0cc026b5c580N.exe
File opened (read-only)	\??\V:	e62b87ba4ca60a4acd9b0cc026b5c580N.exe
File opened (read-only)	\??\P:	e62b87ba4ca60a4acd9b0cc026b5c580N.exe
File opened (read-only)	\??\O:	e62b87ba4ca60a4acd9b0cc026b5c580N.exe
File opened (read-only)	\??\S:	e62b87ba4ca60a4acd9b0cc026b5c580N.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\H:	e62b87ba4ca60a4acd9b0cc026b5c580N.exe
File opened (read-only)	\??\I:	e62b87ba4ca60a4acd9b0cc026b5c580N.exe
File opened (read-only)	\??\L:	e62b87ba4ca60a4acd9b0cc026b5c580N.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e62b87ba4ca60a4acd9b0cc026b5c580N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV	e62b87ba4ca60a4acd9b0cc026b5c580N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV\EFile = "051033066052045073102210051036065140143066100220208170023064164123213087144234067021045232183042096"	e62b87ba4ca60a4acd9b0cc026b5c580N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV\DFile	e62b87ba4ca60a4acd9b0cc026b5c580N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV\DFile	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
852	e62b87ba4ca60a4acd9b0cc026b5c580N.exe
852	e62b87ba4ca60a4acd9b0cc026b5c580N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1944	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 1944	852	e62b87ba4ca60a4acd9b0cc026b5c580N.exe	84
PID 852 wrote to memory of 1944	852	e62b87ba4ca60a4acd9b0cc026b5c580N.exe	84
PID 852 wrote to memory of 1944	852	e62b87ba4ca60a4acd9b0cc026b5c580N.exe	84

C:\Users\Admin\AppData\Local\Temp\e62b87ba4ca60a4acd9b0cc026b5c580N.exe
"C:\Users\Admin\AppData\Local\Temp\e62b87ba4ca60a4acd9b0cc026b5c580N.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\svchost.exe
  C:\Users\svchost.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\svchost.exe

Filesize
224KB

MD5
6275fe651ef7c4d55e095e876b982fcb

SHA1
628c11e14b633b2694d0d1eb11db3a4cf7f391e3

SHA256
e3201739d952db6fc8ac9e9b01aba00f99ea4af89e0ec48216dc9764e3ed3f6d

SHA512
2474f11ca97d92c8386fb020c77c5b0d936cad14bf627acf800d7c3ba0871d7820670a59011b3d60ff8f133847dfa07fcaa231cb7209362c5bfe8b73182dbfc4

Download Submit
memory/852-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1944-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1944-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download