3f6156777d4c9881a2bebcbc7d5806779a87defd9d231193a38458217b92925e

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f6156777d4c9881a2bebcbc7d5806779a87defd9d231193a38458217b92925eN.exe
Size

428KB
MD5

8b833e280033f20da9d4d543919c7c80
SHA1

6b5b74930eae246af7fce82d1c2f09ed6b8c81d2
SHA256

3f6156777d4c9881a2bebcbc7d5806779a87defd9d231193a38458217b92925e
SHA512

8b943e64ab178e52003fc43b14cc17146789d469f189de3e26cc88ee4fe8bd2939684f1ea0a73c9fcc2972973708543b84453f81f0af9b7836dcb975743f1b8a
SSDEEP

12288:Z594+AcL4tBekiuKzErnH5rF/ZE+Jqt7DSavZvkomlsEWhl:BL4tBekiuVrnH5rF/Oqq1DPcoUwh

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4060	6C18.tmp

Executes dropped EXE 1 IoCs

pid	Process
4060	6C18.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f6156777d4c9881a2bebcbc7d5806779a87defd9d231193a38458217b92925eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6C18.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 4060	2452	3f6156777d4c9881a2bebcbc7d5806779a87defd9d231193a38458217b92925eN.exe	82
PID 2452 wrote to memory of 4060	2452	3f6156777d4c9881a2bebcbc7d5806779a87defd9d231193a38458217b92925eN.exe	82
PID 2452 wrote to memory of 4060	2452	3f6156777d4c9881a2bebcbc7d5806779a87defd9d231193a38458217b92925eN.exe	82

C:\Users\Admin\AppData\Local\Temp\3f6156777d4c9881a2bebcbc7d5806779a87defd9d231193a38458217b92925eN.exe
"C:\Users\Admin\AppData\Local\Temp\3f6156777d4c9881a2bebcbc7d5806779a87defd9d231193a38458217b92925eN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\AppData\Local\Temp\6C18.tmp
  "C:\Users\Admin\AppData\Local\Temp\6C18.tmp" --helpC:\Users\Admin\AppData\Local\Temp\3f6156777d4c9881a2bebcbc7d5806779a87defd9d231193a38458217b92925eN.exe BA231AF7883A565D5BF5D1FCF58120672DE2F40AE800EA803AEBA7C687F02F55C2DEDD9099B226234C797C7FBF679C1239D5FA6A8F89C05479A5B559DD363D9F
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6C18.tmp

Filesize
428KB

MD5
1979bd7885fa08423d382de103049c9f

SHA1
5e7ee090eb889872996235e65d6c0007730a3351

SHA256
5966261cb04af5554f0cc7c96a05ede039b862ad1d9f44aeac622b5feb2e41cb

SHA512
ace40ba3b556291a1cbc241c23172c9fea7fb74f04e97c63a7884ea96652e2e5d2e5d17d5ea3be0b091ca5363f714e5e470459913d215973b694e21369fd6791

Download Submit