72b888bc6a6dceacf96659ff0352c80d1ad377460ea27ef8509d3c875926365d

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

339578335d562261768d729fa085b4a0N.exe
Size

5.4MB
MD5

339578335d562261768d729fa085b4a0
SHA1

6aa01e749e3571fc57804b03a97bae2942722d32
SHA256

72b888bc6a6dceacf96659ff0352c80d1ad377460ea27ef8509d3c875926365d
SHA512

d0e1147a97226227f95c39cbeb998831e94b7e565b4d087f7c07b391ee475b838708c0125c9d033f60fcdfa46094a7bf12f45f41901109b804e89609f0f281b8
SSDEEP

98304:emhd1UryeoRZ8Ilk/CusWuTDPV7wQqZUha5jtSyZIUh:elIRmH6P2QbaZtliU

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4160	A325.tmp

Executes dropped EXE 1 IoCs

pid	Process
4160	A325.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A325.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	339578335d562261768d729fa085b4a0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 4160	2360	339578335d562261768d729fa085b4a0N.exe	86
PID 2360 wrote to memory of 4160	2360	339578335d562261768d729fa085b4a0N.exe	86
PID 2360 wrote to memory of 4160	2360	339578335d562261768d729fa085b4a0N.exe	86

C:\Users\Admin\AppData\Local\Temp\339578335d562261768d729fa085b4a0N.exe
"C:\Users\Admin\AppData\Local\Temp\339578335d562261768d729fa085b4a0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\A325.tmp
  "C:\Users\Admin\AppData\Local\Temp\A325.tmp" --splashC:\Users\Admin\AppData\Local\Temp\339578335d562261768d729fa085b4a0N.exe CDEE4DF592DADDEC47DC8997123F179BF60BD70CFD2C60804C50D2962DACB30C09165F8C7F7D051064B5E0D3DF793B8E18735531F6E25762CFE8F620F74F8D81
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A325.tmp

Filesize
5.4MB

MD5
a19c3878607dd7545c3858f6b411f4d5

SHA1
5707603af4afe52faeedf057a51ec5e5bffb5acb

SHA256
c76083903f6da071d05338ca1d5373ba69094d0949f5f59abba90b6c1f236f15

SHA512
7c6c115ccd323d31ca67d2de64252b6f5641c981f886ad8508bb6a8bef0a9c11a04a0fb35d6986e4d54ddc64edba067da828fd9b77f118087b0f68dcab622360

Download Submit
memory/2360-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/4160-5-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download