c2febbdd7b1b2eb49e646a70caa17f07997ab1e686196ba02b0fb4f57325c511

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2febbdd7b1b2eb49e646a70caa17f07997ab1e686196ba02b0fb4f57325c511.exe
Size

1.9MB
MD5

d25bcdbaf39d65982455f9a15089306f
SHA1

778133254b5e6947bc75f31d0a0e3bc533b6a924
SHA256

c2febbdd7b1b2eb49e646a70caa17f07997ab1e686196ba02b0fb4f57325c511
SHA512

08e2a98d78ff40fa3b57defa445fc0a5a75c83e0c412fabceb09ef7f9b7a28f7b6c524df4b814d2984c87a04b5b4ec02e84e7a1dddf7a309cc4655bf6949a06d
SSDEEP

49152:Qoa1taC070dPmkeNQjlDFAQyO/qYGvNtgkQ:Qoa1taC04mkeejDAnYXkQ

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4464	5CB6.tmp

Executes dropped EXE 1 IoCs

pid	Process
4464	5CB6.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2febbdd7b1b2eb49e646a70caa17f07997ab1e686196ba02b0fb4f57325c511.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5CB6.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 4464	2588	c2febbdd7b1b2eb49e646a70caa17f07997ab1e686196ba02b0fb4f57325c511.exe	83
PID 2588 wrote to memory of 4464	2588	c2febbdd7b1b2eb49e646a70caa17f07997ab1e686196ba02b0fb4f57325c511.exe	83
PID 2588 wrote to memory of 4464	2588	c2febbdd7b1b2eb49e646a70caa17f07997ab1e686196ba02b0fb4f57325c511.exe	83

C:\Users\Admin\AppData\Local\Temp\c2febbdd7b1b2eb49e646a70caa17f07997ab1e686196ba02b0fb4f57325c511.exe
"C:\Users\Admin\AppData\Local\Temp\c2febbdd7b1b2eb49e646a70caa17f07997ab1e686196ba02b0fb4f57325c511.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Local\Temp\5CB6.tmp
  "C:\Users\Admin\AppData\Local\Temp\5CB6.tmp" --splashC:\Users\Admin\AppData\Local\Temp\c2febbdd7b1b2eb49e646a70caa17f07997ab1e686196ba02b0fb4f57325c511.exe A6F4E8015D0D847B37509FA99DCED0C7E5938C03074D25A8ABAEDC9CDA7D8E051A80E8351DDAF67566CC8612B67D11180C14E0221951827A75535AB905806FC5
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5CB6.tmp

Filesize
1.9MB

MD5
d202960b24bf2c055efa140930ee060e

SHA1
0e66652457d45be0b1bb7d6a30e506303d888893

SHA256
0f6c46cb52318c82e05408a0a3a9ca3465dac8a081922623a39f4c4f2e1aaa3d

SHA512
13bc475352f217e44aa5fdb03f1888cca7eea229ffb1373b78133f37754c7868f90436f289a189a0dc0241c06a5df6d21d1a39a20c2019e4fdd2c95fce2e35b6

Download Submit
memory/2588-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/4464-5-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download