a48b56dc04c653e40eca650bec4968df2a7fb4c9ee3eb31102491cbc483cd809

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1aa4d985bd9198f051564a81b254e10N.exe
Size

22KB
MD5

a1aa4d985bd9198f051564a81b254e10
SHA1

1f317e8f47004a614c8e577af8e7e1e8c124a9b8
SHA256

a48b56dc04c653e40eca650bec4968df2a7fb4c9ee3eb31102491cbc483cd809
SHA512

23fe4b9f62c8d93a56169b0a21d5a6c4cf16a01d2ad7b50a01da79a943fae5ef7a94d4948ee21dc42169646a273472b7179950ba47a5c1ae1350dfc12590a11c
SSDEEP

384:+6C5SYpuESCgvATWe64rbbIbOS5O/lg7Vvi3:+6n0Sa+KIySWEvK

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	a1aa4d985bd9198f051564a81b254e10N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	ffengh.exe

Executes dropped EXE 1 IoCs

pid	Process
1992	ffengh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1aa4d985bd9198f051564a81b254e10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffengh.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 1992	4184	a1aa4d985bd9198f051564a81b254e10N.exe	86
PID 4184 wrote to memory of 1992	4184	a1aa4d985bd9198f051564a81b254e10N.exe	86
PID 4184 wrote to memory of 1992	4184	a1aa4d985bd9198f051564a81b254e10N.exe	86

C:\Users\Admin\AppData\Local\Temp\a1aa4d985bd9198f051564a81b254e10N.exe
"C:\Users\Admin\AppData\Local\Temp\a1aa4d985bd9198f051564a81b254e10N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Users\Admin\AppData\Local\Temp\ffengh.exe
  "C:\Users\Admin\AppData\Local\Temp\ffengh.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ffengh.exe

Filesize
22KB

MD5
ca8c436f1fbb0d298ec73d088c4f4bd7

SHA1
b8738b5abbc8db3306acb167283e5cdf2a1576a3

SHA256
ee29829dc309974702060f6d2affb2c8e02a5e3c25e45243e0a0468e2f449c65

SHA512
1f896171418b3319296d32082054cc74f5cf9ce258e2f219cf4b5fc5b8ecb95cd0933888cdddd3e0e9f3e503ea55ac016ef7cd9035183b8bfd8d4a3a699bde69

Download Submit
memory/4184-0-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4184-9-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download