2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
Size

15.0MB
MD5

c97c1701196b0fec08feb6caebe7b0e2
SHA1

7a06dd3cb34e7493c376af13c4553a078251b114
SHA256

2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40
SHA512

ddb0ad72c594478e0eff754dff9aff2e71e356d271378fe70b6710e88ed879a15e4410660d87c3f4f186f10fab80c64f39af5164300ae236f783a0d9e05d0af0
SSDEEP

393216:dThABRWI8jKEz4paPQxq9OCrGYDh19L1FPkTJtZO:dTWBgIuMgQ+OCZDH+TJtc

Score

6^/10

defense_evasion discovery

Malware Config

Signatures

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 868	2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe	86
PID 2608 wrote to memory of 868	2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe	86
PID 2608 wrote to memory of 868	2608	2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe	86

C:\Users\Admin\AppData\Local\Temp\2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe
"C:\Users\Admin\AppData\Local\Temp\2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\*.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2752180e7251178930189a0ca210c94376e88f6f322b2920a480a99a0b4b2e40.exepack.tmp

Filesize
2KB

MD5
16185d03f8913f9818d3d0c87a1445f2

SHA1
905c444f8fa9ba108427522977c61d146bbb480a

SHA256
5a11ab1dd23410c0bcbf40573121e031a5ba91ad6a1eca1e78f4a64f720f0338

SHA512
d685aa57aef65e650b971c37e09b4febfe350b6e496fe811aa463e19890801b2b8612d88a86a9d308a620eb9c8d7f7cc6cc66db47e61e3e3332489d1cab714e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f686d14dcf09c9459861ecb42880d5e.ini

Filesize
549B

MD5
61615d83e373a87c8e1f24a34303fc31

SHA1
b3b6636ba98662a146687ca9eefa8ae28243bd22

SHA256
bf9b8b6f57f0cb774ada54c0cbddffbce640013220dd978d73b3e362a56eaa82

SHA512
a8e112207b8b9c826e8047b71cacb2e7c2853028e67548120c4311d0f866a9915bdca7b85b761506b4b9c557d5c885e1574dc3412101a50f31979662acf77985

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f686d14dcf09c9459861ecb42880d5eA.ini

Filesize
1KB

MD5
f2c7ba3b970a3011fd8e305329937041

SHA1
f6eed40624e091c94f1a1244032597ea2927c381

SHA256
39b1eb4ab8864190095037d7888e5d016ce8473737877059a332c51afb976697

SHA512
4c21a02b4008536733c4b195c57fbeb2ca3be06ad022bd8e123f36ae90e1e322b0e637242ada34c7f6019a45822bd1198437ee90667cde06bc821d3923b00428

Download Submit
memory/2608-334-0x0000000000400000-0x00000000011EC000-memory.dmp

Filesize
13.9MB

Download
memory/2608-337-0x0000000000400000-0x00000000011EC000-memory.dmp

Filesize
13.9MB

Download
memory/2608-6-0x0000000000400000-0x00000000011EC000-memory.dmp

Filesize
13.9MB

Download
memory/2608-9-0x0000000000400000-0x00000000011EC000-memory.dmp

Filesize
13.9MB

Download
memory/2608-5-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/2608-3-0x0000000000400000-0x00000000011EC000-memory.dmp

Filesize
13.9MB

Download
memory/2608-1-0x00000000001D0000-0x00000000001D3000-memory.dmp

Filesize
12KB

Download
memory/2608-333-0x00000000001D0000-0x00000000001D3000-memory.dmp

Filesize
12KB

Download
memory/2608-335-0x00000000008E0000-0x0000000000D73000-memory.dmp

Filesize
4.6MB

Download
memory/2608-0-0x0000000000400000-0x00000000011EC000-memory.dmp

Filesize
13.9MB

Download
memory/2608-336-0x0000000000400000-0x00000000011EC000-memory.dmp

Filesize
13.9MB

Download
memory/2608-4-0x00000000008E0000-0x0000000000D73000-memory.dmp

Filesize
4.6MB

Download
memory/2608-338-0x0000000000400000-0x00000000011EC000-memory.dmp

Filesize
13.9MB

Download
memory/2608-339-0x0000000000400000-0x00000000011EC000-memory.dmp

Filesize
13.9MB

Download
memory/2608-340-0x0000000000400000-0x00000000011EC000-memory.dmp

Filesize
13.9MB

Download
memory/2608-341-0x0000000000400000-0x00000000011EC000-memory.dmp

Filesize
13.9MB

Download
memory/2608-342-0x0000000000400000-0x00000000011EC000-memory.dmp

Filesize
13.9MB

Download
memory/2608-343-0x0000000000400000-0x00000000011EC000-memory.dmp

Filesize
13.9MB

Download
memory/2608-344-0x0000000000400000-0x00000000011EC000-memory.dmp

Filesize
13.9MB

Download
memory/2608-345-0x0000000000400000-0x00000000011EC000-memory.dmp

Filesize
13.9MB

Download
memory/2608-346-0x0000000000400000-0x00000000011EC000-memory.dmp

Filesize
13.9MB

Download
memory/2608-347-0x0000000000400000-0x00000000011EC000-memory.dmp

Filesize
13.9MB

Download
memory/2608-348-0x0000000000400000-0x00000000011EC000-memory.dmp

Filesize
13.9MB

Download
memory/2608-349-0x0000000000400000-0x00000000011EC000-memory.dmp

Filesize
13.9MB

Download