c0131e4f7bc24c6667a66ad8208af585b61375dfc75c941d710cae8622e4383e

Analysis

max time kernel
93s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Project Breakdown Doc.exe
Size

1.3MB
MD5

bf7d24a56c64e6632ff2ca51f08908f8
SHA1

428d664141dc9d2318dacdf51c4ac9efbbdd3847
SHA256

ade930428485f335d9ab8526b0073be5cdf902c7316bf24bf86c69c85ed67d7e
SHA512

dfbecaf21a3c59b0d3248dfb8fb603a321d2fa358d15466143a25ea907014b60182c70caa6395f3a0f0e24fe7662447431df00b8e628b3f50a8a4c4e73d66b2b
SSDEEP

24576:OAHnh+eWsN3skA4RV1Hom2KXMmHa56GGVDLhD1vJVs9JAMu3E5:5h+ZkldoPK8Ya56GGx4bAM3

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5040 set thread context of 632	5040	Project Breakdown Doc.exe	83

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Project Breakdown Doc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5040	Project Breakdown Doc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5040	Project Breakdown Doc.exe
5040	Project Breakdown Doc.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
5040	Project Breakdown Doc.exe
5040	Project Breakdown Doc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 632	5040	Project Breakdown Doc.exe	83
PID 5040 wrote to memory of 632	5040	Project Breakdown Doc.exe	83
PID 5040 wrote to memory of 632	5040	Project Breakdown Doc.exe	83
PID 5040 wrote to memory of 632	5040	Project Breakdown Doc.exe	83

C:\Users\Admin\AppData\Local\Temp\Project Breakdown Doc.exe
"C:\Users\Admin\AppData\Local\Temp\Project Breakdown Doc.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\SysWOW64\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Project Breakdown Doc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autADB5.tmp

Filesize
283KB

MD5
1c8e5b6f9cea547a6bff401f911104ac

SHA1
964ad4d5ffccba0baa1fdc644559d2bc16b7946c

SHA256
9f5dd0de8ba6c85e9ec3573217fe074a8011b2879e562859adf4e1a39839928a

SHA512
9d1bb11df2dff681be708bed0ba213286adf830284b87540fd9af45cde7d37c5c6c22894c4189c75d2ebac11b6d7fdb10293a3d7ec3e6428012094ac23dc0be1

Download Submit
memory/632-8-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/632-9-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/632-10-0x0000000001600000-0x000000000194A000-memory.dmp

Filesize
3.3MB

Download
memory/632-11-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5040-7-0x0000000002740000-0x0000000002744000-memory.dmp

Filesize
16KB

Download