9711e0f1f4b1ea97ecf7ddfe05b27c8f712533c2141f6e2b064d636076e76652

Analysis

max time kernel
145s
max time network
150s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06/11/2024, 02:10 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

103024_37663.exe
Size

757KB
MD5

4004659f4494c57e1747f5182d774eef
SHA1

84384ab6418d2034219d75b315aebf32acf4f5b0
SHA256

46622c1a6a63e6306f95c2b95265f6712c2e7a44feaa302e5cfbe802e27be7a5
SHA512

b5146ddd92719f46291d9fcfaae08e82726713be7f9ea12cb1c394424b40107727660c79411750cc43f43904587f4ac004b1365a1665604fb707f9ba5633ecd9
SSDEEP

12288:YWq1u4H7cGfjv0Uf93GwA8gTvRJNvCM+bM8WCvKGuxc2+PCMLXGU4y7:+3Dfjv0odgV6zM6Kp23LWby

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2504	103024_37663.exe
2504	103024_37663.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2504	103024_37663.exe
5108	103024_37663.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2504 set thread context of 5108	2504	103024_37663.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	103024_37663.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	103024_37663.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2504	103024_37663.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 5108	2504	103024_37663.exe	89
PID 2504 wrote to memory of 5108	2504	103024_37663.exe	89
PID 2504 wrote to memory of 5108	2504	103024_37663.exe	89
PID 2504 wrote to memory of 5108	2504	103024_37663.exe	89
PID 2504 wrote to memory of 5108	2504	103024_37663.exe	89

C:\Users\Admin\AppData\Local\Temp\103024_37663.exe
"C:\Users\Admin\AppData\Local\Temp\103024_37663.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\103024_37663.exe
  "C:\Users\Admin\AppData\Local\Temp\103024_37663.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:5108

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR

Response

0.205.248.87.in-addr.arpa

IN PTR

https-87-248-205-0lgwllnwnet
DNS

71.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.159.190.20.in-addr.arpa

IN PTR

Response
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

kmsaksesuar.com

103024_37663.exe

Remote address:

8.8.8.8:53

Request

kmsaksesuar.com

IN A

Response

kmsaksesuar.com

IN A

44.28.239.165
DNS

200.163.202.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.163.202.172.in-addr.arpa

IN PTR

Response
DNS

241.42.69.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.42.69.40.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

30.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.243.111.52.in-addr.arpa

IN PTR

Response

44.28.239.165:443

kmsaksesuar.com

103024_37663.exe

156 B
3
44.28.239.165:443

kmsaksesuar.com

103024_37663.exe

156 B
3
44.28.239.165:443

kmsaksesuar.com

103024_37663.exe

156 B
3
44.28.239.165:443

kmsaksesuar.com

103024_37663.exe

156 B
3
44.28.239.165:443

kmsaksesuar.com

103024_37663.exe

156 B
3
44.28.239.165:443

kmsaksesuar.com

103024_37663.exe

156 B
3
44.28.239.165:443

kmsaksesuar.com

103024_37663.exe

156 B
3
44.28.239.165:443

kmsaksesuar.com

103024_37663.exe

156 B
3
44.28.239.165:443

kmsaksesuar.com

103024_37663.exe

156 B
3
44.28.239.165:443

kmsaksesuar.com

103024_37663.exe

156 B
3

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

0.205.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.205.248.87.in-addr.arpa
8.8.8.8:53

71.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

71.159.190.20.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

kmsaksesuar.com

dns

103024_37663.exe

61 B
77 B
1
1

DNS Request

kmsaksesuar.com

DNS Response

44.28.239.165
8.8.8.8:53

200.163.202.172.in-addr.arpa

dns

74 B
160 B
1
1

DNS Request

200.163.202.172.in-addr.arpa
8.8.8.8:53

241.42.69.40.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

241.42.69.40.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

30.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nssA569.tmp\System.dll

Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
memory/2504-14-0x0000000077381000-0x00000000774A1000-memory.dmp

Filesize
1.1MB

Download
memory/2504-15-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/5108-16-0x0000000000400000-0x0000000001653000-memory.dmp

Filesize
18.3MB

Download
memory/5108-17-0x0000000077381000-0x00000000774A1000-memory.dmp

Filesize
1.1MB

Download
memory/5108-18-0x0000000077408000-0x0000000077409000-memory.dmp

Filesize
4KB

Download
memory/5108-19-0x0000000077425000-0x0000000077426000-memory.dmp

Filesize
4KB

Download
memory/5108-20-0x0000000000400000-0x0000000001653000-memory.dmp

Filesize
18.3MB

Download
memory/5108-21-0x0000000077381000-0x00000000774A1000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.