25e372bb203e15bbad94ac0b41b98e1fcaad3a2631fa2a6ede24039a513e1e43

Analysis

max time kernel
94s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 19:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

25e372bb203e15bbad94ac0b41b98e1fcaad3a2631fa2a6ede24039a513e1e43.exe
Size

4.8MB
MD5

f63a184beae8c8e20a18cde368ad7692
SHA1

7cbc8fed497e2139b13897d241049a431d65ff68
SHA256

25e372bb203e15bbad94ac0b41b98e1fcaad3a2631fa2a6ede24039a513e1e43
SHA512

6384145fdb390e8fe4fc8d81565f287ab8616c0c4409158e055add007424ba38cdd83a5ad635c8dfec12eed8d5768908ca705823318cacbd53ac12d52f635a77
SSDEEP

98304:emhd1UryesfkdCfpI+mV7wQqZUha5jtSyR:elkkkfp62QbaZtlR

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1748	663C.tmp

Executes dropped EXE 1 IoCs

pid	Process
1748	663C.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25e372bb203e15bbad94ac0b41b98e1fcaad3a2631fa2a6ede24039a513e1e43.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	663C.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 1748	1412	25e372bb203e15bbad94ac0b41b98e1fcaad3a2631fa2a6ede24039a513e1e43.exe	82
PID 1412 wrote to memory of 1748	1412	25e372bb203e15bbad94ac0b41b98e1fcaad3a2631fa2a6ede24039a513e1e43.exe	82
PID 1412 wrote to memory of 1748	1412	25e372bb203e15bbad94ac0b41b98e1fcaad3a2631fa2a6ede24039a513e1e43.exe	82

C:\Users\Admin\AppData\Local\Temp\25e372bb203e15bbad94ac0b41b98e1fcaad3a2631fa2a6ede24039a513e1e43.exe
"C:\Users\Admin\AppData\Local\Temp\25e372bb203e15bbad94ac0b41b98e1fcaad3a2631fa2a6ede24039a513e1e43.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Users\Admin\AppData\Local\Temp\663C.tmp
  "C:\Users\Admin\AppData\Local\Temp\663C.tmp" --splashC:\Users\Admin\AppData\Local\Temp\25e372bb203e15bbad94ac0b41b98e1fcaad3a2631fa2a6ede24039a513e1e43.exe F3F853BA1842C3818CB6B931CEA1AB81B5C528DBF6C4C87CD14EC1DF0D28AC24AEA50FCF0FEB58F5B56520BC45E3EB132757997F7C923F3918CC11900A32E41E
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\663C.tmp

Filesize
4.8MB

MD5
c9fc5ad71d4055db380af07e72b3c135

SHA1
385177ebad18e09deefec889d4ddd207d0b77493

SHA256
843de8f9adaffb98e5e196e2d4864430af51e95b5fa900a13959038bee5e4940

SHA512
ff75c7b2c31198545eac7d9b24a6e76c10b75de96a163c0f3e602b0532801aaf2f95d29667c01406a232f6fb6c1b8dee56ec3b0043a95b083eb80b2dc7518429

Download Submit
memory/1412-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/1748-5-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download