37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7c

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe
Size

4.2MB
MD5

7838d252ba4b3d75f9b202f325cdb830
SHA1

de7022425617f80cfa0fd9922dfab3a9cfb17735
SHA256

37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7c
SHA512

aedcdd7327155d25799b42f29bca9632f186470dc5e51d3893b80770656078808d364060b6f091bbfba6b05709b3cf25c3a221278051799403fee95423a97f2b
SSDEEP

98304:Cmhd1UryeqmSVrXfBVVLUjH5oxFbxhVLUjH5oxFbx:ClKRVTXVUjZEdhVUjZEd

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4664	5D1F.tmp

Executes dropped EXE 1 IoCs

pid	Process
4664	5D1F.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5D1F.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 4664	2760	37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe	89
PID 2760 wrote to memory of 4664	2760	37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe	89
PID 2760 wrote to memory of 4664	2760	37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe	89

C:\Users\Admin\AppData\Local\Temp\37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe
"C:\Users\Admin\AppData\Local\Temp\37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\5D1F.tmp
  "C:\Users\Admin\AppData\Local\Temp\5D1F.tmp" --splashC:\Users\Admin\AppData\Local\Temp\37d8cbbdd158501c65c5a0b863fcb0693db9cd8edf746a60905bb89e0d8dbb7cN.exe 50B6D1034C17146FD1C42A130AB56DD0959494DFC14462D47B93283F81BAD2CDE3880D6DD9AD7F7993C93A1BD369697DE2A8CBD6C7476ADFF4F93FDBA9FDCA13
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4332,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4328 /prefetch:8
1⤵
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5D1F.tmp

Filesize
4.2MB

MD5
0304f9d9381b8def027e0ed4bbb83a73

SHA1
fc4f1e257df8379260caa77b7efb6ad68c6c145d

SHA256
62831b122854e59dec90b821a4bf209470db6d4c31fe0f9eba2e10c24fe42fb8

SHA512
a665d943720fbc93338caca9e0ccfb0f9878773863b8bd33585a82ab824f2245e50646e652b55c928fa56cbbe63b806135071289a86ad35af51309fbc3a29fe2

Download Submit
memory/2760-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/4664-5-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download