c890ba483d9ba2fd4d6635017211402ef7bec1734f239c9b819b6f4534f4ba81

Analysis

max time kernel
111s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c890ba483d9ba2fd4d6635017211402ef7bec1734f239c9b819b6f4534f4ba81N.exe
Size

978KB
MD5

282d1a7dc57ee8cdd347c33b01c2ea70
SHA1

78fec777105be7c073c1cbcc7d9dfb3447d0069a
SHA256

c890ba483d9ba2fd4d6635017211402ef7bec1734f239c9b819b6f4534f4ba81
SHA512

9e0be2eb2fac8755a13b159c015af5b5951f3b3ea565ba7895e6214f35fc472adeac89e327250ddd8819a4ba391e15b229917fcbd03129215681fd0a5cecc945
SSDEEP

24576:qa967lIijNAki9rIL79A/SXeCHey2/XDf:B6hPjNAki9e791XeCp2Pr

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1768	svchost.exe
2424	c890ba483d9ba2fd4d6635017211402ef7bec1734f239c9b819b6f4534f4ba81N.exe
4868	svchost.exe

Drops file in Program Files directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	c890ba483d9ba2fd4d6635017211402ef7bec1734f239c9b819b6f4534f4ba81N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c890ba483d9ba2fd4d6635017211402ef7bec1734f239c9b819b6f4534f4ba81N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 1768	3168	c890ba483d9ba2fd4d6635017211402ef7bec1734f239c9b819b6f4534f4ba81N.exe	83
PID 3168 wrote to memory of 1768	3168	c890ba483d9ba2fd4d6635017211402ef7bec1734f239c9b819b6f4534f4ba81N.exe	83
PID 3168 wrote to memory of 1768	3168	c890ba483d9ba2fd4d6635017211402ef7bec1734f239c9b819b6f4534f4ba81N.exe	83
PID 1768 wrote to memory of 2424	1768	svchost.exe	84
PID 1768 wrote to memory of 2424	1768	svchost.exe	84
PID 1768 wrote to memory of 2424	1768	svchost.exe	84

C:\Users\Admin\AppData\Local\Temp\c890ba483d9ba2fd4d6635017211402ef7bec1734f239c9b819b6f4534f4ba81N.exe
"C:\Users\Admin\AppData\Local\Temp\c890ba483d9ba2fd4d6635017211402ef7bec1734f239c9b819b6f4534f4ba81N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\c890ba483d9ba2fd4d6635017211402ef7bec1734f239c9b819b6f4534f4ba81N.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Users\Admin\AppData\Local\Temp\c890ba483d9ba2fd4d6635017211402ef7bec1734f239c9b819b6f4534f4ba81N.exe
    "C:\Users\Admin\AppData\Local\Temp\c890ba483d9ba2fd4d6635017211402ef7bec1734f239c9b819b6f4534f4ba81N.exe"
    3⤵
    - Executes dropped EXE
    PID:2424

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c890ba483d9ba2fd4d6635017211402ef7bec1734f239c9b819b6f4534f4ba81N.exe

Filesize
943KB

MD5
a93a6916192e51c60f96756976c0f865

SHA1
4b49202dc1d06c23f9b38194afa30dec40b3e2c6

SHA256
fd927381762d53d2abed029b1c3dbcedf892b2890b8483ec83d750293c66175b

SHA512
81515b26d08329500fbc5f5ed42494be19c992df027c59e9228df9705e4e4e0ff9dc912d6255a00cfb3ce20cfcc5bc5855dbcaf1aa5dea1fe01d88246a5dce38

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
memory/1768-10-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3168-3-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4868-13-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4868-15-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download