9f3b713f5d5cbf7956e2af70a7e45d08dc420ba93df0bb177137c2993fca7144

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f3b713f5d5cbf7956e2af70a7e45d08dc420ba93df0bb177137c2993fca7144.exe
Size

4.2MB
MD5

7ec8dbd4b0284b09eb91783491cfcac2
SHA1

6466f8b448bb7ae0e0ba9e8c7feb2fc568c2cf77
SHA256

9f3b713f5d5cbf7956e2af70a7e45d08dc420ba93df0bb177137c2993fca7144
SHA512

ba691e6da8dbde6dd4ce9cb92e39c123d46759b2ccffad3e1e85616b342f20f124609b251823697a56f16638c6e89e4deb332ad0694409cbf1f7d53fbfd75a49
SSDEEP

98304:Cmhd1Urye6skF8BgFPfvBHxCVLUjH5oxFbx:Cl4OBGnvHCVUjZEd

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3248	89F0.tmp

Executes dropped EXE 1 IoCs

pid	Process
3248	89F0.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f3b713f5d5cbf7956e2af70a7e45d08dc420ba93df0bb177137c2993fca7144.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89F0.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 3248	4744	9f3b713f5d5cbf7956e2af70a7e45d08dc420ba93df0bb177137c2993fca7144.exe	86
PID 4744 wrote to memory of 3248	4744	9f3b713f5d5cbf7956e2af70a7e45d08dc420ba93df0bb177137c2993fca7144.exe	86
PID 4744 wrote to memory of 3248	4744	9f3b713f5d5cbf7956e2af70a7e45d08dc420ba93df0bb177137c2993fca7144.exe	86

C:\Users\Admin\AppData\Local\Temp\9f3b713f5d5cbf7956e2af70a7e45d08dc420ba93df0bb177137c2993fca7144.exe
"C:\Users\Admin\AppData\Local\Temp\9f3b713f5d5cbf7956e2af70a7e45d08dc420ba93df0bb177137c2993fca7144.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\AppData\Local\Temp\89F0.tmp
  "C:\Users\Admin\AppData\Local\Temp\89F0.tmp" --splashC:\Users\Admin\AppData\Local\Temp\9f3b713f5d5cbf7956e2af70a7e45d08dc420ba93df0bb177137c2993fca7144.exe E5EA70D5F819816B49947CBE8B0ABCDBD72AF819A94268C5419CDE12F1E875500268EFDD13F5EBA9ACB47B3F219F68C44CC4EBCB81B87E7532BC0C5D799C794A
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\89F0.tmp

Filesize
4.2MB

MD5
06156f22211d5d3077f4d89ace749696

SHA1
1f62004deb0a1b6b89f52f3fe5f64c536f6cf17a

SHA256
d57bae1c98831744d50f8f051cc6e71455a1197ae25525af12ee059e623c5921

SHA512
271708f091e285e4e4281f369350f3e3a0ba4954fafecceeb096f412275deae49352c423dafb6a9a34e5812c17d20d59e2597669b36bf11e826d0b2f791530ab

Download Submit
memory/3248-5-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/4744-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download