c36c7898ea1e32282bf5d92451f873e9f6b93ef0f33890838e3dd82e4b2d7d98

Analysis

max time kernel
98s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c36c7898ea1e32282bf5d92451f873e9f6b93ef0f33890838e3dd82e4b2d7d98N.exe
Size

79KB
MD5

c9fc1fbee467db8bf732e1d9c7c11f30
SHA1

f5e51cc60587fa7b275fa2f0506ca68499e07a50
SHA256

c36c7898ea1e32282bf5d92451f873e9f6b93ef0f33890838e3dd82e4b2d7d98
SHA512

1105cbca7a367c2f56aea8a459d9d625e075e5193f5bce0d46033e84e2816824dda287efc3610cbc9b907b8659d3bbee993b4906b86877e03c383881f6df0513
SSDEEP

1536:zvdtbD/STEiCoOQA8AkqUhMb2nuy5wgIP0CSJ+5yEB8GMGlZ5G:zvdtPS7CtGdqU7uy5w9WMyEN5G

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4764	[email protected]

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c36c7898ea1e32282bf5d92451f873e9f6b93ef0f33890838e3dd82e4b2d7d98N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 1948	2348	c36c7898ea1e32282bf5d92451f873e9f6b93ef0f33890838e3dd82e4b2d7d98N.exe	83
PID 2348 wrote to memory of 1948	2348	c36c7898ea1e32282bf5d92451f873e9f6b93ef0f33890838e3dd82e4b2d7d98N.exe	83
PID 2348 wrote to memory of 1948	2348	c36c7898ea1e32282bf5d92451f873e9f6b93ef0f33890838e3dd82e4b2d7d98N.exe	83
PID 1948 wrote to memory of 4764	1948	cmd.exe	84
PID 1948 wrote to memory of 4764	1948	cmd.exe	84
PID 1948 wrote to memory of 4764	1948	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\c36c7898ea1e32282bf5d92451f873e9f6b93ef0f33890838e3dd82e4b2d7d98N.exe
"C:\Users\Admin\AppData\Local\Temp\c36c7898ea1e32282bf5d92451f873e9f6b93ef0f33890838e3dd82e4b2d7d98N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
79KB

MD5
4b151a6bbf0f14947d140c606ee7c72d

SHA1
00cc9e2f1c7560c215b489b3e186ba20921ee188

SHA256
206c78ba453901ce3b17c7d727cd60bb2c4202f463e104bf8eb19b59713750a7

SHA512
f95d95e997e676fb35e213db4e36e4f777c5d7e6a65d9b97ceb6355cc703e83efc5b7eeeb595bc104c454fa50904f68d1dd4e28337955c3da17dc84a637a96ad

Download Submit
memory/2348-6-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4764-5-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download