e4d71e1304325feacf4d0dd3ae69794d13b37c1bec002db06a858605cb8f2b42

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52cd9c7c57d99b9b916bc908a6b9ed90N.exe
Size

1.7MB
MD5

52cd9c7c57d99b9b916bc908a6b9ed90
SHA1

cd284536303d300b721fbe4c031d58530646aa9c
SHA256

e4d71e1304325feacf4d0dd3ae69794d13b37c1bec002db06a858605cb8f2b42
SHA512

025f52df62d04a29c1f24e503214ca2433f654db7abed69c0481ccbcc8c29d52f1ef48f93b38d4dee75607fddc737757326937e2ce17638271482fa42622bd8f
SSDEEP

24576:27FUDowAyrTVE3U5F/eVc4ppKU7zAglFTbak6o0wIOdSvoq92UQZ5eh/EzMmzE:2BuZrEUEzKU7vlFik6o0w6QUQzs

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1500	52cd9c7c57d99b9b916bc908a6b9ed90N.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52cd9c7c57d99b9b916bc908a6b9ed90N.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52cd9c7c57d99b9b916bc908a6b9ed90N.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 1500	4552	52cd9c7c57d99b9b916bc908a6b9ed90N.exe	83
PID 4552 wrote to memory of 1500	4552	52cd9c7c57d99b9b916bc908a6b9ed90N.exe	83
PID 4552 wrote to memory of 1500	4552	52cd9c7c57d99b9b916bc908a6b9ed90N.exe	83

C:\Users\Admin\AppData\Local\Temp\52cd9c7c57d99b9b916bc908a6b9ed90N.exe
"C:\Users\Admin\AppData\Local\Temp\52cd9c7c57d99b9b916bc908a6b9ed90N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Users\Admin\AppData\Local\Temp\is-4U9GN.tmp\52cd9c7c57d99b9b916bc908a6b9ed90N.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-4U9GN.tmp\52cd9c7c57d99b9b916bc908a6b9ed90N.tmp" /SL5="$70042,839193,832512,C:\Users\Admin\AppData\Local\Temp\52cd9c7c57d99b9b916bc908a6b9ed90N.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-4U9GN.tmp\52cd9c7c57d99b9b916bc908a6b9ed90N.tmp

Filesize
3.1MB

MD5
8dcbd7b0e003fd53e11c8efe306f0e37

SHA1
3e2e39eb0b3de9cdadda8a1065360dd7061397cd

SHA256
d095411d7c70ac3a9ce5b02633c90a0b8a33694a3e611c2b4ed4bcae10954ddf

SHA512
66a0b6c992b2891dbe422e15d28a1d6f1aa10565cedda0eed9e23c4b20f927f2b493f882d833cdbc3436bf9c2f5bc2eb3d00aabb94e5d4dbf20ea2862f83ea12

Download Submit
memory/1500-6-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1500-9-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1500-11-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4552-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4552-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4552-8-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4552-13-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download