b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9

Analysis

max time kernel
94s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9.exe
Size

1.9MB
MD5

c9b42da49e0d53790d6a8bd3dd488a36
SHA1

42ee38e93722907df8734d5158d16062d4266711
SHA256

b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9
SHA512

8efb9c5a49a95e5698ce554f32b6a5bd5dc86ebbcde1fef6d946bbbddf68d424cd52e12f56f94550868735ea1689c69521740debe0e207d931feb839960fb2ce
SSDEEP

49152:Qoa1taC070dzos0F6NE0tTw1MuJWH+z1c6uemksma4Fo:Qoa1taC0Jr67TfuJIkc6tOh

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

A2D7.tmp

pid process

1756 A2D7.tmp
Executes dropped EXE 1 IoCs

Processes:

A2D7.tmp

pid process

1756 A2D7.tmp

pid	process
1756	A2D7.tmp

pid	process
1756	A2D7.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9.exeA2D7.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A2D7.tmp

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9.exe

description	pid	process	target process
PID 4624 wrote to memory of 1756	4624	b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9.exe	A2D7.tmp
PID 4624 wrote to memory of 1756	4624	b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9.exe	A2D7.tmp
PID 4624 wrote to memory of 1756	4624	b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9.exe	A2D7.tmp

C:\Users\Admin\AppData\Local\Temp\b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9.exe
"C:\Users\Admin\AppData\Local\Temp\b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Users\Admin\AppData\Local\Temp\A2D7.tmp
  "C:\Users\Admin\AppData\Local\Temp\A2D7.tmp" --splashC:\Users\Admin\AppData\Local\Temp\b71a76d34832110aca91d58646291ec1f683730b540e8d202edf5d0a736fdef9.exe D96ED789597D0DD0AE03984A753DEDBF29241720D54E9955B54E5A2AE1891AA7F4CCD950E5B53E3E4FFC7E327EA70B3DE9641BD77D3D399BFC1F2BB22FB48104
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A2D7.tmp

Filesize
1.9MB

MD5
20fc0706c80e7b022356e256322e1cb1

SHA1
500ebedf00f13817b6efa5285a12a0ed6dc7e4d3

SHA256
7a2bf48369170ddf814dfbbdd9c268dcaa96e75312a356caa10dff5c1522a8cf

SHA512
3929d7700a2338b47da3d9fd0764721ab9dd0fa6e6614fca550f60a3e49b013a9e316f1fc6706e16d4dca244697b7c2636fd719f5b60fd1801c0b4558a8ced16

Download Submit
memory/1756-5-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/4624-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download