f8122a885ea8a8fe4cdf3208cc50e6b7056265d8db9538b016e70d58ffbeabb9

Analysis

max time kernel
3s
max time network
15s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8122a885ea8a8fe4cdf3208cc50e6b7056265d8db9538b016e70d58ffbeabb9.exe
Size

468KB
MD5

4f32e3f40c9890030b4daef4a89945a5
SHA1

979cb28aa526a0383b3ccfea6844c4ebb207debd
SHA256

f8122a885ea8a8fe4cdf3208cc50e6b7056265d8db9538b016e70d58ffbeabb9
SHA512

7f9c8485a517c5b53013ae9c6ec39132a6414b4399ff889231b5ee8cc189d11de3008c9a775d8aee720d352fb561669e3f0676153c1bc954414327a618fac9e6
SSDEEP

3072:/cksovIwU3f/jbYUPgSEOf8yG5W5R7XCi8HxxSwmb/dwBaxu0UlA:/croIv/j3PfEOfljggb/Wkxu0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Unicorn-40154.exe

pid	Process
1900	Unicorn-40154.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f8122a885ea8a8fe4cdf3208cc50e6b7056265d8db9538b016e70d58ffbeabb9.exeUnicorn-40154.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8122a885ea8a8fe4cdf3208cc50e6b7056265d8db9538b016e70d58ffbeabb9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-40154.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f8122a885ea8a8fe4cdf3208cc50e6b7056265d8db9538b016e70d58ffbeabb9.exeUnicorn-40154.exe

pid	Process
3832	f8122a885ea8a8fe4cdf3208cc50e6b7056265d8db9538b016e70d58ffbeabb9.exe
1900	Unicorn-40154.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f8122a885ea8a8fe4cdf3208cc50e6b7056265d8db9538b016e70d58ffbeabb9.exe

description	pid	Process	procid_target
PID 3832 wrote to memory of 1900	3832	f8122a885ea8a8fe4cdf3208cc50e6b7056265d8db9538b016e70d58ffbeabb9.exe	84
PID 3832 wrote to memory of 1900	3832	f8122a885ea8a8fe4cdf3208cc50e6b7056265d8db9538b016e70d58ffbeabb9.exe	84
PID 3832 wrote to memory of 1900	3832	f8122a885ea8a8fe4cdf3208cc50e6b7056265d8db9538b016e70d58ffbeabb9.exe	84

C:\Users\Admin\AppData\Local\Temp\f8122a885ea8a8fe4cdf3208cc50e6b7056265d8db9538b016e70d58ffbeabb9.exe
"C:\Users\Admin\AppData\Local\Temp\f8122a885ea8a8fe4cdf3208cc50e6b7056265d8db9538b016e70d58ffbeabb9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Users\Admin\AppData\Local\Temp\Unicorn-40154.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-40154.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unicorn-40154.exe

Filesize
468KB

MD5
754b364d026bd43596ee2e111b18b098

SHA1
fd0b138cf3c980deed2844ddaccfefe28c2e4467

SHA256
bf0a0582f2def65ae7e0fc206c95e35c1f1cd849d5b57eb999a314acb3894529

SHA512
cab112708fa7a35cbc1cbf911b6a39329a6df346b6093b2f41248c3745c6f47eedfa8ad548950e5a248575196e36dd948581e273862ea73a0d6bfa760bc56b8b

Download Submit