39fd80c14de6c7f35cf46db75ff8948daa5c48a78567155c278a872d0382232e

Analysis

max time kernel
100s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Account bringers.exe
Size

65KB
MD5

7ed9a42df55ac56d121ea9832838193f
SHA1

009c8eb20c6bb355a55112975fa668baae08559b
SHA256

39fd80c14de6c7f35cf46db75ff8948daa5c48a78567155c278a872d0382232e
SHA512

e5bfd30312188c3d26730deb0db114171baef26c5bb2f1db845961cea8f84179989737974949070b5c66485041df29d22d495747489c72e88a88f651dafbdc22
SSDEEP

1536:TcoU49/91oN36tRQviFw1zI9RBnvAmfLteF3nLrB9z3nWaF9bvS9vM:TcoU49/91oN36tRQviFC0vBnNfWl9zG4

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Account bringers.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Account bringers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	Account bringers.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe
2524	Account bringers.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1504	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	Account bringers.exe

Suspicious use of SetWindowsHookEx 63 IoCs

pid	Process
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe
1504	OpenWith.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2132	2524	Account bringers.exe	83
PID 2524 wrote to memory of 2132	2524	Account bringers.exe	83
PID 2524 wrote to memory of 2132	2524	Account bringers.exe	83
PID 2132 wrote to memory of 3960	2132	cmd.exe	85
PID 2132 wrote to memory of 3960	2132	cmd.exe	85
PID 2132 wrote to memory of 3960	2132	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\Account bringers.exe
"C:\Users\Admin\AppData\Local\Temp\Account bringers.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\Account bringers.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3960

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2524-0-0x0000000074C72000-0x0000000074C73000-memory.dmp

Filesize
4KB

Download
memory/2524-1-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/2524-2-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/2524-8-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download