64506751e65ec41605c04620d393cdf9338ce76d31d8b0868dbdfce88f086a03

Analysis

max time kernel
92s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
Size

834KB
MD5

2c25a0926e5228d2205b3b8c8ef4d7f4
SHA1

5f8a9d364dc3d03a5b11fd5be0629d0fb5a8c409
SHA256

e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6
SHA512

cafe8fae74d414015118b838b5e4b30183733d5e833c5db84a56bd2d5cf728cad08d2bbefbeadc86b15b7dbf6dc25fcabdffa8ff4fb346dc0f66376087a28468
SSDEEP

12288:4EcVL8O4jrAi/X+tuuGK9p3ZWil37Nf5AcXbm8CETY2HhC9nxhnKQqsft+yOY:MLlgAi3dwp3YixJxAsCEhCAQqs0y9

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

232 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
232	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe

description	pid	process	target process
PID 2400 wrote to memory of 232	2400	e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe	rundll32.exe
PID 2400 wrote to memory of 232	2400	e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe	rundll32.exe
PID 2400 wrote to memory of 232	2400	e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
"C:\Users\Admin\AppData\Local\Temp\e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" sqlite.dll,global
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sqlite.dat

Filesize
558KB

MD5
bbd4ce7a3b397979f6725781367e2671

SHA1
1627f36916b4a3e2384a3aa2b0af35ba9e785093

SHA256
c13e0dd5f82062a4659f6fa989b00a2d109644156675aa63e7670288723a9fe4

SHA512
b0a5708673f3077eaad552ea664f16b569b653be55865221506b537b41c77ec9b5610d3f67b996e7f2da0bd08da274dc01c9e7db2ce1ed706c18812093d76b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll

Filesize
52KB

MD5
d2c3e38d64273ea56d503bb3fb2a8b5d

SHA1
177da7d99381bbc83ede6b50357f53944240d862

SHA256
25ceb44c2ba4fc9e0153a2f605a70a58b0a42dfaa795667adc11c70bb8909b52

SHA512
2c21ecf8cbad2efe94c7cb55092e5b9e5e8c0392ee15ad04d1571f787761bf26f2f52f3d75a83a321952aeff362a237024779bbdc9c6fd4972c9d76c6038b117

Download Submit