Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:32
Behavioral task
behavioral1
Sample
219811a79baedfc3b6ccd42ccab52e166721cb7e2c5d2b6311c4675ee257ad8fN.exe
Resource
win7-20240903-en
General
-
Target
219811a79baedfc3b6ccd42ccab52e166721cb7e2c5d2b6311c4675ee257ad8fN.exe
-
Size
750KB
-
MD5
6e312f1611fa9f1acfe1bc9842893e30
-
SHA1
3d4c0a12f51c40a5442dd1519b347805a26988f3
-
SHA256
219811a79baedfc3b6ccd42ccab52e166721cb7e2c5d2b6311c4675ee257ad8f
-
SHA512
84649cc00b62ccb372495c86806b646a9bf2bc6d8cee8a81a66a4cc49e329ad995277f116c49e1bb6b9d3ede6d10eeb3ddd81da9247661f6678ecfafb3f72291
-
SSDEEP
12288:FaF39CnbpC+2EpDvKEdG11LOORYQgTeS+FBCILmXz7Iqkcw82QFsztr/:FGNCnbpCv0Dvlw1pRY3TeJ3CYmXBjwRz
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3528-0-0x0000000000400000-0x000000000058E000-memory.dmp upx behavioral2/memory/3528-7-0x0000000000400000-0x000000000058E000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
systeminfo.exe219811a79baedfc3b6ccd42ccab52e166721cb7e2c5d2b6311c4675ee257ad8fN.exeCMD.exesysteminfo.exesysteminfo.exesysteminfo.exesysteminfo.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systeminfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 219811a79baedfc3b6ccd42ccab52e166721cb7e2c5d2b6311c4675ee257ad8fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systeminfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systeminfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systeminfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systeminfo.exe -
Gathers system information 1 TTPs 5 IoCs
Runs systeminfo.exe.
Processes:
systeminfo.exesysteminfo.exesysteminfo.exesysteminfo.exesysteminfo.exepid process 1984 systeminfo.exe 1652 systeminfo.exe 3488 systeminfo.exe 3900 systeminfo.exe 4868 systeminfo.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
219811a79baedfc3b6ccd42ccab52e166721cb7e2c5d2b6311c4675ee257ad8fN.exeCMD.exedescription pid process target process PID 3528 wrote to memory of 3000 3528 219811a79baedfc3b6ccd42ccab52e166721cb7e2c5d2b6311c4675ee257ad8fN.exe CMD.exe PID 3528 wrote to memory of 3000 3528 219811a79baedfc3b6ccd42ccab52e166721cb7e2c5d2b6311c4675ee257ad8fN.exe CMD.exe PID 3528 wrote to memory of 3000 3528 219811a79baedfc3b6ccd42ccab52e166721cb7e2c5d2b6311c4675ee257ad8fN.exe CMD.exe PID 3000 wrote to memory of 1984 3000 CMD.exe systeminfo.exe PID 3000 wrote to memory of 1984 3000 CMD.exe systeminfo.exe PID 3000 wrote to memory of 1984 3000 CMD.exe systeminfo.exe PID 3000 wrote to memory of 1652 3000 CMD.exe systeminfo.exe PID 3000 wrote to memory of 1652 3000 CMD.exe systeminfo.exe PID 3000 wrote to memory of 1652 3000 CMD.exe systeminfo.exe PID 3000 wrote to memory of 3488 3000 CMD.exe systeminfo.exe PID 3000 wrote to memory of 3488 3000 CMD.exe systeminfo.exe PID 3000 wrote to memory of 3488 3000 CMD.exe systeminfo.exe PID 3000 wrote to memory of 3900 3000 CMD.exe systeminfo.exe PID 3000 wrote to memory of 3900 3000 CMD.exe systeminfo.exe PID 3000 wrote to memory of 3900 3000 CMD.exe systeminfo.exe PID 3000 wrote to memory of 4868 3000 CMD.exe systeminfo.exe PID 3000 wrote to memory of 4868 3000 CMD.exe systeminfo.exe PID 3000 wrote to memory of 4868 3000 CMD.exe systeminfo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\219811a79baedfc3b6ccd42ccab52e166721cb7e2c5d2b6311c4675ee257ad8fN.exe"C:\Users\Admin\AppData\Local\Temp\219811a79baedfc3b6ccd42ccab52e166721cb7e2c5d2b6311c4675ee257ad8fN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\CMD.exeCMD /C SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && DEL "C:\Users\Admin\AppData\Local\Temp\219811a79baedfc3b6ccd42ccab52e166721cb7e2c5d2b6311c4675ee257ad8fN.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\systeminfo.exeSYSTEMINFO3⤵
- System Location Discovery: System Language Discovery
- Gathers system information
PID:1984 -
C:\Windows\SysWOW64\systeminfo.exeSYSTEMINFO3⤵
- System Location Discovery: System Language Discovery
- Gathers system information
PID:1652 -
C:\Windows\SysWOW64\systeminfo.exeSYSTEMINFO3⤵
- System Location Discovery: System Language Discovery
- Gathers system information
PID:3488 -
C:\Windows\SysWOW64\systeminfo.exeSYSTEMINFO3⤵
- System Location Discovery: System Language Discovery
- Gathers system information
PID:3900 -
C:\Windows\SysWOW64\systeminfo.exeSYSTEMINFO3⤵
- System Location Discovery: System Language Discovery
- Gathers system information
PID:4868