Analysis
-
max time kernel
133s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-10-2024 09:16
Static task
static1
Behavioral task
behavioral1
Sample
a613b8807e9e08a47a81c3b1e38a31f4.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a613b8807e9e08a47a81c3b1e38a31f4.exe
Resource
win10v2004-20241007-en
General
-
Target
a613b8807e9e08a47a81c3b1e38a31f4.exe
-
Size
10.2MB
-
MD5
a613b8807e9e08a47a81c3b1e38a31f4
-
SHA1
bd79889bc1ce02b5a16124184c7287e74aff1b80
-
SHA256
3087108fae20b7a43c9a4479af8ece396217207e6de92e735d4edfe86671b067
-
SHA512
74b6bb50ddd64aecc36111812502375e90154b7fcae7d3608736fe48e03ab4dd4bd263c0e9359326209e50ee5866de94b9360b289f50430dbcc7a405434dda23
-
SSDEEP
98304:QBHh5y9TzXrTeNb+jqtd1fA/n2Yidr9gxnyaeXNbh1q0w4:yh5kDrTePpgxnytN1fB
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
a613b8807e9e08a47a81c3b1e38a31f4.exedescription pid process target process PID 4032 set thread context of 4944 4032 a613b8807e9e08a47a81c3b1e38a31f4.exe BitLockerToGo.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a613b8807e9e08a47a81c3b1e38a31f4.exeBitLockerToGo.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a613b8807e9e08a47a81c3b1e38a31f4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a613b8807e9e08a47a81c3b1e38a31f4.exedescription pid process target process PID 4032 wrote to memory of 4944 4032 a613b8807e9e08a47a81c3b1e38a31f4.exe BitLockerToGo.exe PID 4032 wrote to memory of 4944 4032 a613b8807e9e08a47a81c3b1e38a31f4.exe BitLockerToGo.exe PID 4032 wrote to memory of 4944 4032 a613b8807e9e08a47a81c3b1e38a31f4.exe BitLockerToGo.exe PID 4032 wrote to memory of 4944 4032 a613b8807e9e08a47a81c3b1e38a31f4.exe BitLockerToGo.exe PID 4032 wrote to memory of 4944 4032 a613b8807e9e08a47a81c3b1e38a31f4.exe BitLockerToGo.exe PID 4032 wrote to memory of 4944 4032 a613b8807e9e08a47a81c3b1e38a31f4.exe BitLockerToGo.exe PID 4032 wrote to memory of 4944 4032 a613b8807e9e08a47a81c3b1e38a31f4.exe BitLockerToGo.exe PID 4032 wrote to memory of 4944 4032 a613b8807e9e08a47a81c3b1e38a31f4.exe BitLockerToGo.exe PID 4032 wrote to memory of 4944 4032 a613b8807e9e08a47a81c3b1e38a31f4.exe BitLockerToGo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a613b8807e9e08a47a81c3b1e38a31f4.exe"C:\Users\Admin\AppData\Local\Temp\a613b8807e9e08a47a81c3b1e38a31f4.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4944