ba06d84217f2b582b68ec6e20cf80b020e2b28608b6446ae96d0f7ab7f8e9168

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba06d84217f2b582b68ec6e20cf80b020e2b28608b6446ae96d0f7ab7f8e9168.exe
Size

1.2MB
MD5

e153e24281fb360eb3aa4e958bdcf4d6
SHA1

6e6f4719d07f7f63e66c0df786cf08ef2442ad79
SHA256

ba06d84217f2b582b68ec6e20cf80b020e2b28608b6446ae96d0f7ab7f8e9168
SHA512

63c1c737048d2c09e8cb32923d2aef31a0a20c8c809d7ace9280fdb4c5aa3fc511972237da9e7948dc255e6b164854c4a81631b0dc18e6467c228edf26acd373
SSDEEP

24576:qKeyxTAJj7P+yW6mc1YCwuv6ez8quGqYXOnfTjG3B49a9IK/T7RU:qKeyRA0y9fWCw28Men7jG3iAN/JU

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2304	srkni.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\smirhguf\srkni.exe	ba06d84217f2b582b68ec6e20cf80b020e2b28608b6446ae96d0f7ab7f8e9168.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba06d84217f2b582b68ec6e20cf80b020e2b28608b6446ae96d0f7ab7f8e9168.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srkni.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 2304	3836	ba06d84217f2b582b68ec6e20cf80b020e2b28608b6446ae96d0f7ab7f8e9168.exe	82
PID 3836 wrote to memory of 2304	3836	ba06d84217f2b582b68ec6e20cf80b020e2b28608b6446ae96d0f7ab7f8e9168.exe	82
PID 3836 wrote to memory of 2304	3836	ba06d84217f2b582b68ec6e20cf80b020e2b28608b6446ae96d0f7ab7f8e9168.exe	82

C:\Users\Admin\AppData\Local\Temp\ba06d84217f2b582b68ec6e20cf80b020e2b28608b6446ae96d0f7ab7f8e9168.exe
"C:\Users\Admin\AppData\Local\Temp\ba06d84217f2b582b68ec6e20cf80b020e2b28608b6446ae96d0f7ab7f8e9168.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Program Files (x86)\smirhguf\srkni.exe
  "C:\Program Files (x86)\smirhguf\srkni.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\smirhguf\srkni.exe

Filesize
1.2MB

MD5
18e6e2d68fa0047dd96c2e1da996f101

SHA1
34a4619f7a2e98b5cded13337b5bd1777c6a13ce

SHA256
f55a702266faa7fc12416968bd0144a86d4d914ddc6d82db9249c21e3f273d6e

SHA512
af67f61b97d0b795254553c7a9e5118721538709cfee526e1039ceba3c62a1e978b92e9eb201027d79fbace75b9e9139a14072795d98ed43b0502457dbc4c3f0

Download Submit
memory/2304-7-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2304-8-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3836-0-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3836-1-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3836-5-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download