b2dc73b825e728e2c1a6d93f8bdf2b08fbd0a5276b682469c2b50e12231bf51e

Analysis

max time kernel
27s
max time network
29s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Night.exe
Size

178KB
MD5

bfea95995f6cb4fa30f5da77953e8b34
SHA1

4557202b87bd473db9b97758666aeccb36a3b046
SHA256

b2dc73b825e728e2c1a6d93f8bdf2b08fbd0a5276b682469c2b50e12231bf51e
SHA512

81ecb9777bd304c25e0b5648b08e14e8a120eaf6727fa9db35337e0dc96d7e30cb333ce1d59b2c97215bd28215c2622a64401b049b81ab557c268b3eacbedeee
SSDEEP

1536:t1Tzy48untU8fOMEI3jyYfPiF1GMWZ3KTWR/Om:rzltUeOsaF1U6Tc

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Night.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mode.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mode.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mode.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 7 IoCs

evasion

pid	Process
1936	timeout.exe
1364	timeout.exe
3276	timeout.exe
220	timeout.exe
228	timeout.exe
4744	timeout.exe
3036	timeout.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 5080	3428	Night.exe	84
PID 3428 wrote to memory of 5080	3428	Night.exe	84
PID 3428 wrote to memory of 5080	3428	Night.exe	84
PID 5080 wrote to memory of 4736	5080	cmd.exe	85
PID 5080 wrote to memory of 4736	5080	cmd.exe	85
PID 5080 wrote to memory of 4736	5080	cmd.exe	85
PID 5080 wrote to memory of 2420	5080	cmd.exe	86
PID 5080 wrote to memory of 2420	5080	cmd.exe	86
PID 5080 wrote to memory of 2420	5080	cmd.exe	86
PID 5080 wrote to memory of 220	5080	cmd.exe	91
PID 5080 wrote to memory of 220	5080	cmd.exe	91
PID 5080 wrote to memory of 220	5080	cmd.exe	91
PID 5080 wrote to memory of 228	5080	cmd.exe	92
PID 5080 wrote to memory of 228	5080	cmd.exe	92
PID 5080 wrote to memory of 228	5080	cmd.exe	92
PID 5080 wrote to memory of 4744	5080	cmd.exe	93
PID 5080 wrote to memory of 4744	5080	cmd.exe	93
PID 5080 wrote to memory of 4744	5080	cmd.exe	93
PID 5080 wrote to memory of 3036	5080	cmd.exe	94
PID 5080 wrote to memory of 3036	5080	cmd.exe	94
PID 5080 wrote to memory of 3036	5080	cmd.exe	94
PID 5080 wrote to memory of 832	5080	cmd.exe	95
PID 5080 wrote to memory of 832	5080	cmd.exe	95
PID 5080 wrote to memory of 832	5080	cmd.exe	95
PID 5080 wrote to memory of 1936	5080	cmd.exe	100
PID 5080 wrote to memory of 1936	5080	cmd.exe	100
PID 5080 wrote to memory of 1936	5080	cmd.exe	100
PID 5080 wrote to memory of 1364	5080	cmd.exe	101
PID 5080 wrote to memory of 1364	5080	cmd.exe	101
PID 5080 wrote to memory of 1364	5080	cmd.exe	101
PID 5080 wrote to memory of 3276	5080	cmd.exe	102
PID 5080 wrote to memory of 3276	5080	cmd.exe	102
PID 5080 wrote to memory of 3276	5080	cmd.exe	102
PID 5080 wrote to memory of 5052	5080	cmd.exe	106
PID 5080 wrote to memory of 5052	5080	cmd.exe	106
PID 5080 wrote to memory of 5052	5080	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\Night.exe
"C:\Users\Admin\AppData\Local\Temp\Night.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8722.tmp\Night.bat" "C:\Users\Admin\AppData\Local\Temp\Night.exe""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4736
- - C:\Windows\SysWOW64\mode.com
    mode con lines=20 cols=70
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2420
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:220
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:228
- - C:\Windows\SysWOW64\timeout.exe
    timeout 4
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4744
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3036
- - C:\Windows\SysWOW64\mode.com
    mode con lines=20 cols=70
    3⤵
    - System Location Discovery: System Language Discovery
    PID:832
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1936
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1364
- - C:\Windows\SysWOW64\timeout.exe
    timeout 4
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3276
- - C:\Windows\SysWOW64\mode.com
    mode con lines=30 cols=90
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8722.tmp\Night.bat

Filesize
27KB

MD5
dd60d995c982764a1863bb9814abcfbd

SHA1
860ca6b57f39996739d00523c0ed46d8d4130adb

SHA256
b3903035cfaf88a90c7c61134782c39b5eff57fb42c897be9f135aa17f9b5d8b

SHA512
c5ffd088cbadd416f178dbb2a3005d468fc2743da78a0b79146f4a088f9d1f370353249dc60c8d3be52ee3b146310e2f226c1595ad86881bfe4a86eb700db607

Download Submit