91f4b7ae747bfd036882e084650f608782b6054ecc8ab32f5fe91b91caf80e5d

Analysis

max time kernel
93s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Versium.exe
Size

746KB
MD5

393d6260e39b68b2d60300e4f62ebc83
SHA1

16c58c5b7dee3ce4c3a40925ba4eed3c188faf46
SHA256

e7431a806b1b1928256376ec29207a342f4b860f4332bb523a53ac2d9d3d35d3
SHA512

d1916b2f2f8deddf331735b4b6f4b329d65696481c6971694c3bf64fa38feda8472c700d15311aad3ec3eeae5a6f9e6c85f204f955555a57eeea131ec4e8a198
SSDEEP

6144:d/QiQXCz5m+ksmpk3U9j0IMsoxvjFEOTb9WmZX/8shzdsY4CpHPhnBvudg:VQi3zc6m6UR0IMp1hf39Wkv8xwJB2i

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Versium.tmp

pid process

4200 Versium.tmp
Loads dropped DLL 1 IoCs

Processes:

Versium.tmp

pid process

4200 Versium.tmp

pid	process
4200	Versium.tmp

pid	process
4200	Versium.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Versium.tmpVersium.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Versium.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Versium.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Versium.exe

description	pid	process	target process
PID 2644 wrote to memory of 4200	2644	Versium.exe	Versium.tmp
PID 2644 wrote to memory of 4200	2644	Versium.exe	Versium.tmp
PID 2644 wrote to memory of 4200	2644	Versium.exe	Versium.tmp

C:\Users\Admin\AppData\Local\Temp\Versium.exe
"C:\Users\Admin\AppData\Local\Temp\Versium.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\is-1TOHO.tmp\Versium.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1TOHO.tmp\Versium.tmp" /SL5="$7005E,506127,422400,C:\Users\Admin\AppData\Local\Temp\Versium.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-1TOHO.tmp\Versium.tmp

Filesize
1.0MB

MD5
baec3f13d8997ecbe4460979102ed0b5

SHA1
438d163c5629b89cad5ba953a881afdb9624a998

SHA256
b41f017498a1d43c409cc2c5840e31972858c59e83abf26ff9528c9908c7abbe

SHA512
b4e14a3bc115ae816e3117d15b9a19f29d00322bd32112745d241f3452ffa52ef3db710397ce80972a443dc066fadbc161d1617b728430bf542edfef16a32125

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QH683.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
memory/2644-1-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2644-0-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2644-21-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4200-6-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4200-19-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download