8b2c5b77f50d0a55a4234c88bf19e7e81f4838f009b0331a094aa0d2f4672b9f

Analysis

max time kernel
119s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b2c5b77f50d0a55a4234c88bf19e7e81f4838f009b0331a094aa0d2f4672b9fN.exe
Size

5KB
MD5

62a41b3f85f972fc0213b28788199740
SHA1

a29637f7f9959f4a19f7f5018e69808c0e6177c6
SHA256

8b2c5b77f50d0a55a4234c88bf19e7e81f4838f009b0331a094aa0d2f4672b9f
SHA512

08d004f116e5fa9e46791528fc27b2b397629bc3ce33b51a2f6985d4238cc52cfb9399fdf4eb809c5a47dc28f317f2ef9292a82aed5d42b7dc5207537896d035
SSDEEP

96:ZSv4mQMKh9ctgCVRoKinKymV44zZjwxl7mo55LuxLq/:rmQMKsnzinKfzzRwXZ5QW/

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	8b2c5b77f50d0a55a4234c88bf19e7e81f4838f009b0331a094aa0d2f4672b9fN.exe

Executes dropped EXE 1 IoCs

pid	Process
764	kbswl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b2c5b77f50d0a55a4234c88bf19e7e81f4838f009b0331a094aa0d2f4672b9fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kbswl.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 764	3056	8b2c5b77f50d0a55a4234c88bf19e7e81f4838f009b0331a094aa0d2f4672b9fN.exe	86
PID 3056 wrote to memory of 764	3056	8b2c5b77f50d0a55a4234c88bf19e7e81f4838f009b0331a094aa0d2f4672b9fN.exe	86
PID 3056 wrote to memory of 764	3056	8b2c5b77f50d0a55a4234c88bf19e7e81f4838f009b0331a094aa0d2f4672b9fN.exe	86

C:\Users\Admin\AppData\Local\Temp\8b2c5b77f50d0a55a4234c88bf19e7e81f4838f009b0331a094aa0d2f4672b9fN.exe
"C:\Users\Admin\AppData\Local\Temp\8b2c5b77f50d0a55a4234c88bf19e7e81f4838f009b0331a094aa0d2f4672b9fN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\kbswl.exe
  "C:\Users\Admin\AppData\Local\Temp\kbswl.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kbswl.exe

Filesize
5KB

MD5
37b7d05a1244e427e3dad5241f286e85

SHA1
55154d8ed011a3442e2b8a77c15df14d79dbc57a

SHA256
ce78f645cce45ae7de35f12b8d2d65376d22fc12bbb95615785fd95a12b04686

SHA512
6bbbfc18c48253323e33ebda0e9a03dd9178d99cd10e9fdfe2821e555be9614e7bd976f2ad7e81f67430dc6b8b0a2ccf13cf868529219116110a1c510eb65087

Download Submit