ebc820cf5d0dca9a5fcaffb6411feeaa65892d5b8769efbfb2fd179570d45d8f

Analysis

max time kernel
119s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5955817ec025dc8b346e3f4019f00510N.exe
Size

7KB
MD5

5955817ec025dc8b346e3f4019f00510
SHA1

7850fa9c9735336121878a2f064878209088598a
SHA256

ebc820cf5d0dca9a5fcaffb6411feeaa65892d5b8769efbfb2fd179570d45d8f
SHA512

8e67bcdf8843ee049601bd54856c12259528b175ad4c1294c1b6b16885a7b33a5260667cbd9ae5ccf2013affde8b7b6156122f553f709586802ea7922639f800
SSDEEP

96:ZbcQ3j6cInZqngqZdtywnumwC4gY617GeBM65BGevKY7DZCUOTjtEt6AbaNESoXD:uQ3FRgatywnzigbSEM65MevHX4zPN+z

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	5955817ec025dc8b346e3f4019f00510N.exe

Executes dropped EXE 1 IoCs

pid	Process
2856	yyhwn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5955817ec025dc8b346e3f4019f00510N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yyhwn.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 2856	684	5955817ec025dc8b346e3f4019f00510N.exe	84
PID 684 wrote to memory of 2856	684	5955817ec025dc8b346e3f4019f00510N.exe	84
PID 684 wrote to memory of 2856	684	5955817ec025dc8b346e3f4019f00510N.exe	84

C:\Users\Admin\AppData\Local\Temp\5955817ec025dc8b346e3f4019f00510N.exe
"C:\Users\Admin\AppData\Local\Temp\5955817ec025dc8b346e3f4019f00510N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:684
- C:\Users\Admin\AppData\Local\Temp\yyhwn.exe
  "C:\Users\Admin\AppData\Local\Temp\yyhwn.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yyhwn.exe

Filesize
7KB

MD5
c315e3010f4c7e6338700f1cdea8130b

SHA1
0c0b1bfc531533afaa9c01a1dc7b1a7badc4f020

SHA256
d4539f230519b67f2d1617107d8b38363f491bb39facea1b5c94deb3d7a80e84

SHA512
ecad8e6be8446a094848f077e0083f01fd3c7ac991e01fa8e6e81e8c1db18c7cdea641070b0d22df59a973e9119bd6dac5db5f0b43e6a4ac5ddbb9f16c449720

Download Submit