a7175983cccfabb5651f375416b4cb8294a32f562a460b4f51a22179a19bc518

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 15:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Installer.exe
Size

82KB
MD5

820dd1ea812e5b1150fbd9591a5ce2d7
SHA1

5d05db93e23a001392951cda59cb4339e182c2f2
SHA256

a7175983cccfabb5651f375416b4cb8294a32f562a460b4f51a22179a19bc518
SHA512

abae79a15d87daf9a3b9e1ee39f1d32364806062c3f01878586e0c1db5d1c46465ba7456f782f5e3f9e8f9e896d9e453b0da858ed73ae78aab60f71b4224336e
SSDEEP

768:P29L9W6fDEeVCUdIR2KxhMolF2QJiHan82AD3xxclysSoQuS:0vi2KY2FnJPn8tT3cl1L7S

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3996	Installer.exe
Token: SeDebugPrivilege	864	Installer.exe

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Installer.exe.log

Filesize
1KB

MD5
ffa5d45d55f46105a516df3c7c409019

SHA1
352d622ae18a5c73805bae69037dfd7104b03a77

SHA256
3362f0005826ed8118cf477603a90015e51a83b9905a24e15aa1aa4e5dc90a4c

SHA512
7d7eb819e32c455406a6aa260bd34e6b20e6f37f1bf9a3e79317e8b12b27202832fb8564058f12ea7f5c8ba37f26261903f4b5b54a1fb9d45aa61561a65180d5

Download Submit
memory/864-10-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/864-11-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/864-12-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/3996-0-0x000000007516E000-0x000000007516F000-memory.dmp

Filesize
4KB

Download
memory/3996-1-0x0000000000020000-0x0000000000038000-memory.dmp

Filesize
96KB

Download
memory/3996-2-0x0000000004F40000-0x00000000054E4000-memory.dmp

Filesize
5.6MB

Download
memory/3996-3-0x0000000004A30000-0x0000000004AC2000-memory.dmp

Filesize
584KB

Download
memory/3996-4-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/3996-5-0x0000000004AE0000-0x0000000004AEA000-memory.dmp

Filesize
40KB

Download
memory/3996-6-0x0000000004B50000-0x0000000004B5A000-memory.dmp

Filesize
40KB

Download
memory/3996-8-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download