514225421165ba6d4769e6d6cf673306536b1eb647419d2ace6c2f8c1d0cc8c5

Analysis

max time kernel
111s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 12:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

514225421165ba6d4769e6d6cf673306536b1eb647419d2ace6c2f8c1d0cc8c5N.exe
Size

50KB
MD5

7fd5ad7d708480b4a4d76787b3b47690
SHA1

95cf7ddad63e87d6d1dd306bc5658977bb215fb1
SHA256

514225421165ba6d4769e6d6cf673306536b1eb647419d2ace6c2f8c1d0cc8c5
SHA512

2f282c9a80f17c90beef4b7d8347babd9e367ea05c2a5ffb415b0227f15ff62c5aefa73185ad9abb56620cdf6f1ca4ef3aa125a110b747bf96b2f35bc0d94d86
SSDEEP

1536:4GUiEAJoZWtdEI2MyzNORQtOflIwoHNM2XBFV7WB7lx7+sroMYILSh87vddgc:4GUzRWtdEI2MyzNORQtOflIwoHNM2XBs

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	514225421165ba6d4769e6d6cf673306536b1eb647419d2ace6c2f8c1d0cc8c5N.exe

Executes dropped EXE 1 IoCs

pid	Process
4316	joune.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	514225421165ba6d4769e6d6cf673306536b1eb647419d2ace6c2f8c1d0cc8c5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	joune.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 4316	3624	514225421165ba6d4769e6d6cf673306536b1eb647419d2ace6c2f8c1d0cc8c5N.exe	88
PID 3624 wrote to memory of 4316	3624	514225421165ba6d4769e6d6cf673306536b1eb647419d2ace6c2f8c1d0cc8c5N.exe	88
PID 3624 wrote to memory of 4316	3624	514225421165ba6d4769e6d6cf673306536b1eb647419d2ace6c2f8c1d0cc8c5N.exe	88

C:\Users\Admin\AppData\Local\Temp\514225421165ba6d4769e6d6cf673306536b1eb647419d2ace6c2f8c1d0cc8c5N.exe
"C:\Users\Admin\AppData\Local\Temp\514225421165ba6d4769e6d6cf673306536b1eb647419d2ace6c2f8c1d0cc8c5N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Users\Admin\AppData\Local\Temp\joune.exe
  "C:\Users\Admin\AppData\Local\Temp\joune.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\joune.exe

Filesize
50KB

MD5
8766d233f4b975e5160d947035c1eca7

SHA1
0410a0a33cdcbf2e5edcba11f2176f83a7c8e3c0

SHA256
c0a6f2015cb2dca0e8096c18ddc69b75a4081d394f4790abe033800e0a028490

SHA512
501fb01c22f270c690b7b2a8b44f2c287e2e82c75f4f697b934d2720af7ada21322a732b5f9b592ad4d08bd7ee625eedb564b7fc52d11a5076c02a9d17097f6f

Download Submit
memory/3624-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3624-1-0x00000000022D0000-0x00000000022D6000-memory.dmp

Filesize
24KB

Download
memory/3624-2-0x00000000022D0000-0x00000000022D6000-memory.dmp

Filesize
24KB

Download
memory/3624-3-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4316-20-0x0000000002090000-0x0000000002096000-memory.dmp

Filesize
24KB

Download