cc88e14ae32bef8cda9d4000f4c489a02a443bc7e65861e71ddc6fff84bf804c

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 01:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cc88e14ae32bef8cda9d4000f4c489a02a443bc7e65861e71ddc6fff84bf804c.exe
Size

7.7MB
MD5

485c421f3a7fbe96d58421c1407f1c43
SHA1

56162ade47a9c0dc23ce3ce2c9fe22987a2b976b
SHA256

cc88e14ae32bef8cda9d4000f4c489a02a443bc7e65861e71ddc6fff84bf804c
SHA512

7cbef21d44e8e0c837cbde96ca22f27d0eabf17049f2f56476fda817e5c69f320b7e0eb60aed3eca424a9b55bd395e0df178080d4f25c5e2b628e56eea9748c1
SSDEEP

196608:FFRGbHFDQz6K1JVSbZgyJr3M6RyicdDWRVkpIPQIkRaRnCwWw:fw7JQh1JVAgyaTGVkkmadCwWw

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1176	cc88e14ae32bef8cda9d4000f4c489a02a443bc7e65861e71ddc6fff84bf804c.tmp

Loads dropped DLL 4 IoCs

pid	Process
1176	cc88e14ae32bef8cda9d4000f4c489a02a443bc7e65861e71ddc6fff84bf804c.tmp
1176	cc88e14ae32bef8cda9d4000f4c489a02a443bc7e65861e71ddc6fff84bf804c.tmp
1176	cc88e14ae32bef8cda9d4000f4c489a02a443bc7e65861e71ddc6fff84bf804c.tmp
1176	cc88e14ae32bef8cda9d4000f4c489a02a443bc7e65861e71ddc6fff84bf804c.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc88e14ae32bef8cda9d4000f4c489a02a443bc7e65861e71ddc6fff84bf804c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc88e14ae32bef8cda9d4000f4c489a02a443bc7e65861e71ddc6fff84bf804c.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 1176	4912	cc88e14ae32bef8cda9d4000f4c489a02a443bc7e65861e71ddc6fff84bf804c.exe	84
PID 4912 wrote to memory of 1176	4912	cc88e14ae32bef8cda9d4000f4c489a02a443bc7e65861e71ddc6fff84bf804c.exe	84
PID 4912 wrote to memory of 1176	4912	cc88e14ae32bef8cda9d4000f4c489a02a443bc7e65861e71ddc6fff84bf804c.exe	84

C:\Users\Admin\AppData\Local\Temp\cc88e14ae32bef8cda9d4000f4c489a02a443bc7e65861e71ddc6fff84bf804c.exe
"C:\Users\Admin\AppData\Local\Temp\cc88e14ae32bef8cda9d4000f4c489a02a443bc7e65861e71ddc6fff84bf804c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Users\Admin\AppData\Local\Temp\is-1CTKC.tmp\cc88e14ae32bef8cda9d4000f4c489a02a443bc7e65861e71ddc6fff84bf804c.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1CTKC.tmp\cc88e14ae32bef8cda9d4000f4c489a02a443bc7e65861e71ddc6fff84bf804c.tmp" /SL5="$80054,7467292,227840,C:\Users\Admin\AppData\Local\Temp\cc88e14ae32bef8cda9d4000f4c489a02a443bc7e65861e71ddc6fff84bf804c.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-1CTKC.tmp\cc88e14ae32bef8cda9d4000f4c489a02a443bc7e65861e71ddc6fff84bf804c.tmp

Filesize
1.5MB

MD5
6e4e83302159ec46e10280abe1d62ce1

SHA1
eb439d7b73e64605eb9f37b9b057722861ada267

SHA256
bb22238b9de45d10013cdf18b66d13646137bf5ddc075c781a160ef8739b2fd7

SHA512
22331088377154be8b11825c95c1a2a8765d71c3394714faed00a6185ab84afac63ae95103f20f1a9e4fe447259976734e1bd905e4a45bbe0567cee5241f1033

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHRE5.tmp\Autorun1.jpg

Filesize
198KB

MD5
42ff67b2001311140d6cfd4747f88e31

SHA1
735348bf08925ea751f7e2a252ecbfbfab31c68c

SHA256
3f8c29070d3340b528692df9980a347aba211972470eb833c734ed63fecf0c86

SHA512
50da87ff4fb1d80c5b9cd5c5dc4060a5d4baf1c7fe5470b59e7fce059c29fee9bae38b4a2423b663a20b82144a240451545d3803d2a3500ae072d09aecddc603

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHRE5.tmp\Dark.png

Filesize
65KB

MD5
185d31c702a861fd7026c693513eb3fb

SHA1
4857cba77bce860ee34df70d2ed06ac51958b53f

SHA256
56e1b926b344ef760fea6a4fd862e066ea5295f7e5671fc7c0d1f1bc148e2009

SHA512
9cabac5d73a9dada0d809fdfbbb552c105d0de975a545fef70322b8c86b001691af6e2dc58e980343342a953bed12d91553dc253928cd6357836b6aaf5efb8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHRE5.tmp\Exit.png

Filesize
9KB

MD5
91f97aa4b051e7b2991e5456d2c8655b

SHA1
901dd406613f3e97d8d6141bb061b242a3b5fb4f

SHA256
0ff3fbfbb177d5ffc8b577f821a91f9d39f13f5f548f9570c12cb85ccef526e3

SHA512
b664f7aff75308d416c9e479bbd9a9b840816d41fb1dc218187c01636e443c4c7976a635459f626f971961c89d0b8e3c91bb0d61940e487a36179437fb0aa296

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHRE5.tmp\ISDone.dll

Filesize
452KB

MD5
4feafa8b5e8cdb349125c8af0ac43974

SHA1
7f17e5e1b088fc73690888b215962fbcd395c9bd

SHA256
bb8a0245dcc5c10a1c7181bad509b65959855009a8105863ef14f2bb5b38ac71

SHA512
d63984ee385b4f1eba8e590d6de4f082fb0121689295ec6e496539209459152465f6db09e6d8f92eec996a89fc40432077cbfa807beb2de7f375154fef6554bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHRE5.tmp\Install.png

Filesize
22KB

MD5
3a104b9ff4b59bba6dc3b30114c5b31b

SHA1
3a03ebe2b3ff5d4bac88355c82a86da3bb30cfde

SHA256
1a72008c2393b330c3a9e05bcba070e538d9d5078767adc49a86a05473226ced

SHA512
8d4d985d5003b2b7739c9f5549b8ea143adcfa78188fea45de49a73f82dd1e88709ef35a62bdcfdf360a1d3face0cb40fb8ff782d15f5081127dd6121a7e0289

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHRE5.tmp\Lockscreen.jpg

Filesize
218KB

MD5
0242a6609df437a801343c4d434c09be

SHA1
e07162a96194feb48506a61ded2ed6bbf9749892

SHA256
6b67d017222fa7e87dfaee9bd2a0e5bac5207ca0607da6fa395edeedb7279ebd

SHA512
3c98aeb760ab79e3a1ef05a97e0373547312b2a206080d7b5f7b847020c9bd5089ca18d55cdc583a4c69b05fb72d62514fd7b5e76b574341b0ccd911a4f9d355

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHRE5.tmp\Lockscreen_overlay.png

Filesize
7KB

MD5
d31d8d275434bd9e5fad19146cde70f0

SHA1
e1be0e19762bee1a73349528463f92fc7e65e2b0

SHA256
aad4331448574ff4cf51994838e6b41607e8c6542c2f83aa0a465b7cd8792dc3

SHA512
b96c81cf9e380855059cc79796aaac50b507c48f4a84aefe5f9a09b9bdcb7a75990fd7a3239340ba5701af50d96cf2037e32d820c3b1f7f77631092ef036f986

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHRE5.tmp\Tile1_Background.jpg

Filesize
267KB

MD5
5e25fc73867c51bb749fa958b7c04fdf

SHA1
7c670bca631e94b46b33f50f1b8ec9d9d203898e

SHA256
36cf201c5171646a151b7ff5518078d6068f5437b52557784e4163a8e87a13a1

SHA512
e49b15ca8c190eb45a3920f87d652ef9ede95c1b68d48d99e8445373f875d5991fd1320106d2d2130d51484852ade59348b343296be285e127a2d18c3bbbaab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHRE5.tmp\Tile1_Icon1.png

Filesize
19KB

MD5
bb562c499c7bebaf0c0b0869f3833538

SHA1
4de593260cc4833ee3f903e122b39cd346bb1439

SHA256
5a497b1f9789ff32c31c033d660e45bf0a2f543a5a7b5e96e3cf4cbedbdbcf4f

SHA512
648fe2673dfcb1c679a7f0d9b2c39c5c1166efffdfa473d8bb517d2a7b12733297f8ac30e3b4bb1d6c3bac9d45eebe2199d8db1529dbfaf3f4640c42a60808a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHRE5.tmp\Uninstall.png

Filesize
9KB

MD5
1dbec7e15bb3fe912ea362c7f5305cb8

SHA1
8ee2dca3f834cd7809dd50681bb432fa17f982f6

SHA256
43bfe50a575e87237abe4f65eee18b23e667c0a6c9fa1fd6fc2176948edfa527

SHA512
dc46536df17a17410a4aa2b6afaee9a620612e23498d009e766411bf2d17c87da0ac3b3f5a950375c34f4355f6b2924dfdc99c52102e1e702fd55f29333fc55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHRE5.tmp\botva2.dll

Filesize
37KB

MD5
619bf9ddcb5fe39ee9e5b0167e7f4f0d

SHA1
6da8c0d2407d5221172765b00452efa0f361902f

SHA256
609661a14733f6e9c2c2f2ff9c274f8a4cbedaff4dd32049aa5161f8d7083d6a

SHA512
a89fc731805e83f889f408fe3fea769d0e44faf1e1dd37d3569bbf57a6086b1ffc8783778e0be8236447c7661c44051b2d4b1d3a643f7ebc35f6ef0625c6897a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHRE5.tmp\logo.png

Filesize
253B

MD5
5b97ed539eefa61a38c5d8bd75ba431e

SHA1
fddf8d18f7c9db64c85f5d7570fc3dbaac03bfe6

SHA256
b0034f812ff8f9a71d5e2b21ed1630ace13fe24d70cf558573a4204fb7ed96d3

SHA512
9ae322311d28d09e46c92b1ed4bf91c2f11e7d22dc6c2c16498c5e6e960d0e3062169876da4fddb3ef2cca5384b22f213c4380ec85d83ff4d29717e59bb31f08

Download Submit
memory/1176-7-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1176-16-0x00000000033C0000-0x0000000003437000-memory.dmp

Filesize
476KB

Download
memory/1176-35-0x0000000002560000-0x000000000256F000-memory.dmp

Filesize
60KB

Download
memory/1176-85-0x0000000002560000-0x000000000256F000-memory.dmp

Filesize
60KB

Download
memory/1176-84-0x00000000033C0000-0x0000000003437000-memory.dmp

Filesize
476KB

Download
memory/1176-86-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/4912-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/4912-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4912-82-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download