136985f3f221620819fd04eda2a931f34e9e6a66ed8d63495c6f76155edd9b75

Analysis

max time kernel
94s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97ea9eb9abdc300ce758c07ef0a31854be8342969bcacfc458e642540b63d63a.exe
Size

251KB
MD5

97206e8b31ee16ef3d47eab75ba0c9d5
SHA1

c152b70ac2a5a2fbdd38439eeab9b432339dc381
SHA256

97ea9eb9abdc300ce758c07ef0a31854be8342969bcacfc458e642540b63d63a
SHA512

66b88c23d5168341299f0758bb06763f09d1ede5d8fe6cb7f397676f681fe5e233a87815cf5eef2bba3b6c6eaf4f5cb066bec1675b34f97745932a6fa31227af
SSDEEP

3072:B1NjcVVnLpPunbR73LSVVcFeqcL+ztw9jtAXFUOpJ4BEeT6d9Eh7Q7Ql6stCEuhX:bNeZmxNtcLkw01FuBFW9i7sQ8uTxPoRz

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2904	glmvoahjy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97ea9eb9abdc300ce758c07ef0a31854be8342969bcacfc458e642540b63d63a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	glmvoahjy.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2904	2848	97ea9eb9abdc300ce758c07ef0a31854be8342969bcacfc458e642540b63d63a.exe	82
PID 2848 wrote to memory of 2904	2848	97ea9eb9abdc300ce758c07ef0a31854be8342969bcacfc458e642540b63d63a.exe	82
PID 2848 wrote to memory of 2904	2848	97ea9eb9abdc300ce758c07ef0a31854be8342969bcacfc458e642540b63d63a.exe	82
PID 2904 wrote to memory of 2952	2904	glmvoahjy.exe	83
PID 2904 wrote to memory of 2952	2904	glmvoahjy.exe	83
PID 2904 wrote to memory of 2952	2904	glmvoahjy.exe	83

C:\Users\Admin\AppData\Local\Temp\97ea9eb9abdc300ce758c07ef0a31854be8342969bcacfc458e642540b63d63a.exe
"C:\Users\Admin\AppData\Local\Temp\97ea9eb9abdc300ce758c07ef0a31854be8342969bcacfc458e642540b63d63a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\glmvoahjy.exe
  C:\Users\Admin\AppData\Local\Temp\glmvoahjy.exe C:\Users\Admin\AppData\Local\Temp\tqecasoyy
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\glmvoahjy.exe
    C:\Users\Admin\AppData\Local\Temp\glmvoahjy.exe C:\Users\Admin\AppData\Local\Temp\tqecasoyy
    3⤵
    PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\glmvoahjy.exe

Filesize
4KB

MD5
dea5c229f2b9623e29d3236d26da3551

SHA1
782235d5f7991fef92f72ad3aa045fc1105708f3

SHA256
c8dce5a38599e3e4929af394c86710593dd84388e18ee9f512800685c909d2d8

SHA512
4a3aaa23d5ea3801ae64ae71d7e3824a8e3f817d61c617619c31a3842ec30668c1d0e1729fe519315285132664ced11a558a30e1e06e48c457840eb9a9573e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\muknjfeee8l

Filesize
214KB

MD5
aa43485753e947755b3c8c3dbb3361c2

SHA1
4736e91d2653674b3d7980aecdb5bfd229b539a4

SHA256
28637ca5c43bf76dc87730b0c3e4f28b185b20eb7f1dc8ab33c603f430d92cd6

SHA512
cc688835b4ca06135e6b78587acf94cf03d47498c93ded5c8e432d357c62334bf1fad995427bcf9f140664a9e4f5ad92a70a1754fad8ee087bf4aa010655f62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tqecasoyy

Filesize
5KB

MD5
a1a8a509af6adc2e9268cc980b73d212

SHA1
345d370630623d58e5fe33b825e1c8bfce1f61c3

SHA256
7bb3c803d687bad9745ca83d390ae94aef0ae770f2965a97bf6963e579828959

SHA512
6c573f8ff9831ecbb81d4291b802e5e35500e844ec861f55b6e0f15d85b5865a173f2a8df11ba017c190eb24cb6a004d20ba2fa4c25ca2129f48997af6f5bbac

Download Submit
memory/2904-8-0x0000000000560000-0x0000000000562000-memory.dmp

Filesize
8KB

Download