9f94aec437c2ba9aa60aab18ffeac7dab6e2a6ffde3761a6804119b03dd57c9a

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f94aec437c2ba9aa60aab18ffeac7dab6e2a6ffde3761a6804119b03dd57c9aN.exe
Size

79KB
MD5

30c4891d202675a788d675ab1e1864e0
SHA1

6cc9dd73cf42197d30b9ddc52dfe5b3872d0f11e
SHA256

9f94aec437c2ba9aa60aab18ffeac7dab6e2a6ffde3761a6804119b03dd57c9a
SHA512

7c058f2b68d39489b3d2bcfaee235f98d9a6acf96bb4960e38508c28b5e609d1a614cb7fe9b18fc1344fe28927b1ae5553984fd8dabf28789908c610be8e91b1
SSDEEP

1536:zvvSjrPgawlHWzMLP0OOQA8AkqUhMb2nuy5wgIP0CSJ+5yKB8GMGlZ5G:zvvSj8aKHWgLP0bGdqU7uy5w9WMyKN5G

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
820	[email protected]

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f94aec437c2ba9aa60aab18ffeac7dab6e2a6ffde3761a6804119b03dd57c9aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1724	1376	9f94aec437c2ba9aa60aab18ffeac7dab6e2a6ffde3761a6804119b03dd57c9aN.exe	82
PID 1376 wrote to memory of 1724	1376	9f94aec437c2ba9aa60aab18ffeac7dab6e2a6ffde3761a6804119b03dd57c9aN.exe	82
PID 1376 wrote to memory of 1724	1376	9f94aec437c2ba9aa60aab18ffeac7dab6e2a6ffde3761a6804119b03dd57c9aN.exe	82
PID 1724 wrote to memory of 820	1724	cmd.exe	83
PID 1724 wrote to memory of 820	1724	cmd.exe	83
PID 1724 wrote to memory of 820	1724	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\9f94aec437c2ba9aa60aab18ffeac7dab6e2a6ffde3761a6804119b03dd57c9aN.exe
"C:\Users\Admin\AppData\Local\Temp\9f94aec437c2ba9aa60aab18ffeac7dab6e2a6ffde3761a6804119b03dd57c9aN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
79KB

MD5
688402dba1b66d1831306fd3f69750b5

SHA1
542e95b8aa52a5d1a4f2808e153045744334d293

SHA256
9d52a83f8e2d303ce2b2e316125f05157f844c641b075773ae7662bdbc833ebc

SHA512
983023a36a6024c30820681f8bf5df7eca2bc65666a8698622dce0a02b4019c5001d65057e92e8e76f8b154cbd013916d57431017eb42ba444823b15c4c394ed

Download Submit
memory/820-5-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1376-6-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download