db0ed91f2d9ea77d405f4b4a0eb95202592d97d7bc170701bdba765f82b529d3

Analysis

max time kernel
92s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db0ed91f2d9ea77d405f4b4a0eb95202592d97d7bc170701bdba765f82b529d3.exe
Size

767KB
MD5

b95748619a3d96183f0b585ba2bf7dc5
SHA1

8018f21878e497a34c78c8cab1db94038c8fd5d6
SHA256

db0ed91f2d9ea77d405f4b4a0eb95202592d97d7bc170701bdba765f82b529d3
SHA512

d0fe0a6f40607e2179116b25ba5349a504bc7edb71ed45e6a74f882ed84a792c2b740401b5fd138a3ecf670aebd355bc8bd136c62493b3d84abed127a5d1761c
SSDEEP

12288:C7gKNkhm/JuyXnPB+h8WHSGERllv2BMwgZ805+ZZzOO4TsoXINHlx8Fjol:C7zNkhm5PBXvBZeq7G0/Lso4NFx8FjE

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
840	alg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	db0ed91f2d9ea77d405f4b4a0eb95202592d97d7bc170701bdba765f82b529d3.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db0ed91f2d9ea77d405f4b4a0eb95202592d97d7bc170701bdba765f82b529d3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1460	db0ed91f2d9ea77d405f4b4a0eb95202592d97d7bc170701bdba765f82b529d3.exe

C:\Users\Admin\AppData\Local\Temp\db0ed91f2d9ea77d405f4b4a0eb95202592d97d7bc170701bdba765f82b529d3.exe
"C:\Users\Admin\AppData\Local\Temp\db0ed91f2d9ea77d405f4b4a0eb95202592d97d7bc170701bdba765f82b529d3.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\alg.exe

Filesize
661KB

MD5
b3f44e46645c74a7cfc61ea7ac311f81

SHA1
e3ce7f99dddc2bdfd807a95a2979510e72da7683

SHA256
ca06a776a20db2d0463b40bb1167f1ed561e75ca10db9403116e2f36692fb653

SHA512
f34506e752aa098153ab0262eb866f2740dff62d9f02987fa33a74a718948cd042ee352e61ece941f5959150542d6802e52f9158675f8922117a1803323d9bf9

Download Submit
memory/840-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/840-16-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1460-0-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1460-2-0x00000000021C0000-0x0000000002227000-memory.dmp

Filesize
412KB

Download
memory/1460-8-0x00000000021C0000-0x0000000002227000-memory.dmp

Filesize
412KB

Download
memory/1460-15-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download