ce04ecf2067f19516c4dc0ba096f7b6545d1a9ca672a12ae6f1964f83514420b

Analysis

max time kernel
92s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 16:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ce04ecf2067f19516c4dc0ba096f7b6545d1a9ca672a12ae6f1964f83514420bN.exe
Size

4.2MB
MD5

d13cff760730586ae154c0e5dd95e080
SHA1

9edf3121d902d831c0ddbfde94dd098501d6d754
SHA256

ce04ecf2067f19516c4dc0ba096f7b6545d1a9ca672a12ae6f1964f83514420b
SHA512

560e04d530ff7771a45033a448db02aacbbf519dd5ca0204ddfa3d6d43d629eed5ebc8d8a4e56be27735400ad2e80205ee94b14e0eb57ae71b95b643a2b706a0
SSDEEP

98304:Cmhd1UryenhuO5TPDBmajdympw0qVLUjH5oxFbxhVLUjH5oxFbx:ClBrxtmaxXeVUjZEdhVUjZEd

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2888	BE10.tmp

Executes dropped EXE 1 IoCs

pid	Process
2888	BE10.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce04ecf2067f19516c4dc0ba096f7b6545d1a9ca672a12ae6f1964f83514420bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BE10.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 2888	4324	ce04ecf2067f19516c4dc0ba096f7b6545d1a9ca672a12ae6f1964f83514420bN.exe	86
PID 4324 wrote to memory of 2888	4324	ce04ecf2067f19516c4dc0ba096f7b6545d1a9ca672a12ae6f1964f83514420bN.exe	86
PID 4324 wrote to memory of 2888	4324	ce04ecf2067f19516c4dc0ba096f7b6545d1a9ca672a12ae6f1964f83514420bN.exe	86

C:\Users\Admin\AppData\Local\Temp\ce04ecf2067f19516c4dc0ba096f7b6545d1a9ca672a12ae6f1964f83514420bN.exe
"C:\Users\Admin\AppData\Local\Temp\ce04ecf2067f19516c4dc0ba096f7b6545d1a9ca672a12ae6f1964f83514420bN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Users\Admin\AppData\Local\Temp\BE10.tmp
  "C:\Users\Admin\AppData\Local\Temp\BE10.tmp" --splashC:\Users\Admin\AppData\Local\Temp\ce04ecf2067f19516c4dc0ba096f7b6545d1a9ca672a12ae6f1964f83514420bN.exe 3CF525392427828C294CAB49CEAD380F5B87D5A95982B55BF060B961ED8A4DEC9187E2D087B266CFC1400F5869E759C46C37BBA6EE70C006D9306EA13E61FDB0
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BE10.tmp

Filesize
4.2MB

MD5
bbdcef65cf6daf3480ca9d73e54327cb

SHA1
270e2f6c3a9cdf4396a7c8e118a5f929c6f61f09

SHA256
4b23a29dd96870bf0f1a7723da34c6ce65835ef78eb62f43d21e2a41ac9d5ffb

SHA512
79f3bbe5e3d8dff034f3ea86e6e0152a8eb488715cd9347384b764fc3e3407b80fd4c419b808b636ec1cc9563300902b47d6b9bdf9befd2271bf5d936de19c9a

Download Submit
memory/2888-5-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/4324-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download