Analysis
-
max time kernel
95s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:35
Static task
static1
Behavioral task
behavioral1
Sample
2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe
Resource
win10v2004-20241007-en
General
-
Target
2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe
-
Size
4.2MB
-
MD5
96a45c287c3ffb6ae85db562f90c9a00
-
SHA1
74160e4e7ee8185ff8b9ce3b5a1e1d1d309ab730
-
SHA256
2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1
-
SHA512
1bafdb06852abe2e06cc92a56d4392e0aa8214c2487b738c361b2451f1e7e63903126f82395bc887be5a22b3881680963a829b6e595d1d40ed25b486f245fc10
-
SSDEEP
98304:Cmhd1Urye2T0EgDyKRMSVLUjH5oxFbxhVLUjH5oxFbx:Clg03oSVUjZEdhVUjZEd
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2544 8ACB.tmp -
Executes dropped EXE 1 IoCs
pid Process 2544 8ACB.tmp -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ACB.tmp -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1384 wrote to memory of 2544 1384 2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe 88 PID 1384 wrote to memory of 2544 1384 2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe 88 PID 1384 wrote to memory of 2544 1384 2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe"C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\8ACB.tmp"C:\Users\Admin\AppData\Local\Temp\8ACB.tmp" --splashC:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe 5801788DF0E758572BCA325F42B460B21612BBA1252C9A03704E3225F0AB93877132693E6C327102A2AF256AA3BE5913B860DB99B5E972D2EFA8F3B27A29ED0C2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2544
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD543059ac88567bf5fa9d40eeb41d796a8
SHA1f79376c5cefe73dbd824fd82dcf61dcc21daed93
SHA256fd619d55766168fed7289775ba8f9865ce19d7a5128dcc7a6853ff06166ccd68
SHA5123346cebde2d7348401cd36994d56214b64e72d3815f17bd450ab7dc1ae1950e1bb24b902cd24d33e72ca77fd41f00c0c6e1d745a193d1a1cf3211f4b49d68e81