d37203944b0fee02f74ae15c3c69755f39c4b065668012387150abe23bf8c779

Analysis

max time kernel
110s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d476b0c88dbc473ad7f502d1490c64b0N.exe
Size

2.3MB
MD5

d476b0c88dbc473ad7f502d1490c64b0
SHA1

43574d7ea40a8021b65e94292f53e093ed0655f4
SHA256

d37203944b0fee02f74ae15c3c69755f39c4b065668012387150abe23bf8c779
SHA512

fb57de4489559fbf4e5d0e338b3218db36e73307d2e1fe410154db132ef04fd082e4995dd501c56f0d4ab8fff9e56a1f3441d8c6f0e572874dbecb3bc7dd63df
SSDEEP

49152:eYGtqTiuWeCNVPQ4zySUWP2qSrOpZVKkebA5rOYiZnR:ogFcQUUcIriebSivZnR

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4772	d476b0c88dbc473ad7f502d1490c64b0N.tmp

Loads dropped DLL 2 IoCs

pid	Process
4772	d476b0c88dbc473ad7f502d1490c64b0N.tmp
4772	d476b0c88dbc473ad7f502d1490c64b0N.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d476b0c88dbc473ad7f502d1490c64b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d476b0c88dbc473ad7f502d1490c64b0N.tmp

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4772	d476b0c88dbc473ad7f502d1490c64b0N.tmp
4772	d476b0c88dbc473ad7f502d1490c64b0N.tmp
4772	d476b0c88dbc473ad7f502d1490c64b0N.tmp
4772	d476b0c88dbc473ad7f502d1490c64b0N.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 4772	3484	d476b0c88dbc473ad7f502d1490c64b0N.exe	84
PID 3484 wrote to memory of 4772	3484	d476b0c88dbc473ad7f502d1490c64b0N.exe	84
PID 3484 wrote to memory of 4772	3484	d476b0c88dbc473ad7f502d1490c64b0N.exe	84

C:\Users\Admin\AppData\Local\Temp\d476b0c88dbc473ad7f502d1490c64b0N.exe
"C:\Users\Admin\AppData\Local\Temp\d476b0c88dbc473ad7f502d1490c64b0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Users\Admin\AppData\Local\Temp\is-KSE6L.tmp\d476b0c88dbc473ad7f502d1490c64b0N.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KSE6L.tmp\d476b0c88dbc473ad7f502d1490c64b0N.tmp" /SL5="$140052,1734053,70144,C:\Users\Admin\AppData\Local\Temp\d476b0c88dbc473ad7f502d1490c64b0N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-KSE6L.tmp\d476b0c88dbc473ad7f502d1490c64b0N.tmp

Filesize
1.2MB

MD5
e7106fbf42fbc6d5b08a18ada4f781b4

SHA1
36d4a629f79d772c0b0df8bd2ae2ea09108d239d

SHA256
64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

SHA512
adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V34U7.tmp\DownLib.dll

Filesize
183KB

MD5
db25dfdd4c1f2b65c68a230881072695

SHA1
94cd6a3438041f0e61b0a1bea7b66461854efe69

SHA256
1b66aaf1e7e3c493dd96af3b7442ea60072f6e93ba45281eacd31a14ca7e7e73

SHA512
db69e4ab2218856e5184d9094e7e39705b83e3efdc15225067205c8faf6e5836145364f1d509192defa3b48864e72b9f8c0f2dc53a7adb2b86c655318b7afc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V34U7.tmp\setupcfg.ini

Filesize
44B

MD5
c8ee3eaecb6fbbfc5822ee703eb93850

SHA1
f4101c658a2b3d7e9054e43d2351b4d2dfcd9977

SHA256
37246aba1706adfd2f7cbce5aa33cdb542e6df3faada25763612cce6da6a031d

SHA512
acbe9a98dee9c5f04a45c93a068669b11d6fa2d13d97fe827412c88d9cc46da01dd3e8541c4d75df65744fa3cacabcf5c24303663ae8a3312c6b6afd160029f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V34U7.tmp\tbr_dots.bmp

Filesize
164B

MD5
adc799ec79eeaef366ea4dddf099c3ae

SHA1
556c915615a34a2499604b7b732ab304b20fdd4e

SHA256
7e7f18c73560f9c020abe1ab1f22705083281e2ea16ab0030fc927901b5b5d1e

SHA512
76962a17cc26d3f9886828be4e43373ac530165e1c627272ed7c0bc731133e97608e55d2e31f44592aad0d0974352155f41a0718aa0666ec128406b1050c1d6c

Download Submit
memory/3484-2-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/3484-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3484-126-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4772-7-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4772-20-0x0000000003C40000-0x0000000003C77000-memory.dmp

Filesize
220KB

Download
memory/4772-128-0x0000000003C40000-0x0000000003C77000-memory.dmp

Filesize
220KB

Download
memory/4772-127-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download