65e8bf4d364b451c9608e7491b2dc6b81794ffd8d5143281866d6458a802dc36

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65e8bf4d364b451c9608e7491b2dc6b81794ffd8d5143281866d6458a802dc36.exe
Size

1.9MB
MD5

956f30962717dbadb4e8e157dfb4d9de
SHA1

f076c65f76ec95d650cb26988bac6c705d1d946d
SHA256

65e8bf4d364b451c9608e7491b2dc6b81794ffd8d5143281866d6458a802dc36
SHA512

23ec758614c2ebeec0caede2bbfc1464b26a25c26e9c32f1f7cb1ce11d8b4a6a5c9e721bad83d667767fdf87cd1b78fb89e1e55b2842c1d532a9d221fc2dfcaf
SSDEEP

49152:Qoa1taC070dEw14uTVIonXOeqBNmUVANIma5FjVPx6:Qoa1taC0hwRIo5uNm2ANITFpZ6

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2968	A1BE.tmp

Executes dropped EXE 1 IoCs

pid	Process
2968	A1BE.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65e8bf4d364b451c9608e7491b2dc6b81794ffd8d5143281866d6458a802dc36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A1BE.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2968	2944	65e8bf4d364b451c9608e7491b2dc6b81794ffd8d5143281866d6458a802dc36.exe	83
PID 2944 wrote to memory of 2968	2944	65e8bf4d364b451c9608e7491b2dc6b81794ffd8d5143281866d6458a802dc36.exe	83
PID 2944 wrote to memory of 2968	2944	65e8bf4d364b451c9608e7491b2dc6b81794ffd8d5143281866d6458a802dc36.exe	83

C:\Users\Admin\AppData\Local\Temp\65e8bf4d364b451c9608e7491b2dc6b81794ffd8d5143281866d6458a802dc36.exe
"C:\Users\Admin\AppData\Local\Temp\65e8bf4d364b451c9608e7491b2dc6b81794ffd8d5143281866d6458a802dc36.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\A1BE.tmp
  "C:\Users\Admin\AppData\Local\Temp\A1BE.tmp" --splashC:\Users\Admin\AppData\Local\Temp\65e8bf4d364b451c9608e7491b2dc6b81794ffd8d5143281866d6458a802dc36.exe 1274D1AD2CAD6F5071EF955F66DE7226AD89F55B3C97F2BD06A57EB83B36787A56E6B35AB6ED9A2B13811DF976A3D3C2B8D241B94C33E474F8D4A666B8218164
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A1BE.tmp

Filesize
1.9MB

MD5
6a2d2a3e345aadd58425072e11b5754a

SHA1
aea89933625e601da10b91492083ccfb58b34063

SHA256
39b948a9d097bbf6e5cc7936f397f4fb8ab9923ee173b00310459259e130c57a

SHA512
803ed264a7e1b8cf6144fe17d941f4f907bde049473aa586e9b3ff0633d1ee52ee4999c3b847158ef1cd59f59c2ee13b92d3d9bd815d1bab649834c3674c11c9

Download Submit
memory/2944-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/2968-5-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download