44162eee61f7d49a55fe0f815d0bc996cd728d96307b5bc6277fe430941ad068

Analysis

max time kernel
92s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 01:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

44162eee61f7d49a55fe0f815d0bc996cd728d96307b5bc6277fe430941ad068.exe
Size

1.6MB
MD5

b1e34ddb1f25478d7553d87c350a5c4a
SHA1

0e6e7e6189de5ca0c403bf39dc7860288bdfe054
SHA256

44162eee61f7d49a55fe0f815d0bc996cd728d96307b5bc6277fe430941ad068
SHA512

2df7974b70d57b238fe16c62520754b6485956daee551bc6c9893a0f5ebc318d6382c99806fc59bb4cf6b62428c8b7891f6a2736af0c39aeb9f23e059784d4aa
SSDEEP

24576:s4lavt0LkLL9IMixoEgeaqmalul+simMGClgf8RXTUchbBoTq9MmCS:7kwkn9IMHeaqIzimDEFQchbBWaPCS

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4080 set thread context of 2116	4080	44162eee61f7d49a55fe0f815d0bc996cd728d96307b5bc6277fe430941ad068.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44162eee61f7d49a55fe0f815d0bc996cd728d96307b5bc6277fe430941ad068.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2116	svchost.exe
2116	svchost.exe
2116	svchost.exe
2116	svchost.exe
2116	svchost.exe
2116	svchost.exe
2116	svchost.exe
2116	svchost.exe
2116	svchost.exe
2116	svchost.exe
2116	svchost.exe
2116	svchost.exe
2116	svchost.exe
2116	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4080	44162eee61f7d49a55fe0f815d0bc996cd728d96307b5bc6277fe430941ad068.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4080	44162eee61f7d49a55fe0f815d0bc996cd728d96307b5bc6277fe430941ad068.exe
4080	44162eee61f7d49a55fe0f815d0bc996cd728d96307b5bc6277fe430941ad068.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4080	44162eee61f7d49a55fe0f815d0bc996cd728d96307b5bc6277fe430941ad068.exe
4080	44162eee61f7d49a55fe0f815d0bc996cd728d96307b5bc6277fe430941ad068.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 2116	4080	44162eee61f7d49a55fe0f815d0bc996cd728d96307b5bc6277fe430941ad068.exe	88
PID 4080 wrote to memory of 2116	4080	44162eee61f7d49a55fe0f815d0bc996cd728d96307b5bc6277fe430941ad068.exe	88
PID 4080 wrote to memory of 2116	4080	44162eee61f7d49a55fe0f815d0bc996cd728d96307b5bc6277fe430941ad068.exe	88
PID 4080 wrote to memory of 2116	4080	44162eee61f7d49a55fe0f815d0bc996cd728d96307b5bc6277fe430941ad068.exe	88

C:\Users\Admin\AppData\Local\Temp\44162eee61f7d49a55fe0f815d0bc996cd728d96307b5bc6277fe430941ad068.exe
"C:\Users\Admin\AppData\Local\Temp\44162eee61f7d49a55fe0f815d0bc996cd728d96307b5bc6277fe430941ad068.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\SysWOW64\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\44162eee61f7d49a55fe0f815d0bc996cd728d96307b5bc6277fe430941ad068.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autA299.tmp

Filesize
282KB

MD5
caba071ae74831262dd01cdcd9cd5c79

SHA1
282563ac0de93cca19175c383920361afe51d646

SHA256
e2f49771c05271340c355fcdbf701a849557358bb3ac3b8f76cc73bfe35f2472

SHA512
460fc65344681f8eef947c3096bb969bf1a2d366ec8bc27b87b13c65603a743e05b5f89e49eb3679d50f5665b35c9770443d146b24b28631b17c75fb0378afa9

Download Submit
memory/2116-9-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2116-10-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2116-11-0x0000000001800000-0x0000000001B4A000-memory.dmp

Filesize
3.3MB

Download
memory/2116-12-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4080-8-0x0000000001620000-0x0000000001A20000-memory.dmp

Filesize
4.0MB

Download