2420028d36da51aa0dae20755b04a555fd1fb943900b92694dd07b98a240fcf8

Analysis

max time kernel
92s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2420028d36da51aa0dae20755b04a555fd1fb943900b92694dd07b98a240fcf8.exe
Size

330KB
MD5

1aed40a6d6905d5925b73ed69e2abe5c
SHA1

9db9a82acad118dc6982aebbeafad0da4275761c
SHA256

2420028d36da51aa0dae20755b04a555fd1fb943900b92694dd07b98a240fcf8
SHA512

d081ffea933add3fc01fa413503a28c4b7ecbcabff7adecaa7be2b827de87b116e9b7c5d30c402a2a70a3bdd42590c604ff8c179f2135df71c461aad2618c65e
SSDEEP

6144:rGiWFJ+xCSNOoUApGXSgXra44WmkXOf21pNvdwSnNZ6hER+LtZwNANh:mc1peSyJTmOOydwSnNghEUN

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3068	sktwcrbcw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2420028d36da51aa0dae20755b04a555fd1fb943900b92694dd07b98a240fcf8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sktwcrbcw.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 3068	2000	2420028d36da51aa0dae20755b04a555fd1fb943900b92694dd07b98a240fcf8.exe	83
PID 2000 wrote to memory of 3068	2000	2420028d36da51aa0dae20755b04a555fd1fb943900b92694dd07b98a240fcf8.exe	83
PID 2000 wrote to memory of 3068	2000	2420028d36da51aa0dae20755b04a555fd1fb943900b92694dd07b98a240fcf8.exe	83
PID 3068 wrote to memory of 3928	3068	sktwcrbcw.exe	84
PID 3068 wrote to memory of 3928	3068	sktwcrbcw.exe	84
PID 3068 wrote to memory of 3928	3068	sktwcrbcw.exe	84

C:\Users\Admin\AppData\Local\Temp\2420028d36da51aa0dae20755b04a555fd1fb943900b92694dd07b98a240fcf8.exe
"C:\Users\Admin\AppData\Local\Temp\2420028d36da51aa0dae20755b04a555fd1fb943900b92694dd07b98a240fcf8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\sktwcrbcw.exe
  C:\Users\Admin\AppData\Local\Temp\sktwcrbcw.exe C:\Users\Admin\AppData\Local\Temp\myzocc
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\sktwcrbcw.exe
    C:\Users\Admin\AppData\Local\Temp\sktwcrbcw.exe C:\Users\Admin\AppData\Local\Temp\myzocc
    3⤵
    PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e9b93caba3chp

Filesize
210KB

MD5
6959c53711979583b19819771642483b

SHA1
eb9f8170afc344b9f50ea15ca7a69e5f283d1528

SHA256
0bd18b88232a68106339f089b902c0b842c2a02a30623f57bcf5f67eef83431e

SHA512
501a6672bcb7fb115d44ef57ec2e9ad087002e82150cbb32afd30638b033569c1beb41f63b755d9f49d8b5249a71f5201980b433a6f50d4f896ed394f1b7e4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\myzocc

Filesize
4KB

MD5
f0336e492b8ef2246e6312e55acccb00

SHA1
2aee4e08aa5f063a6a193e381a53332bb664627d

SHA256
6c3750621221fb01c27d222775414bf653a2e4c7825b20c0ce3581a73ba43387

SHA512
0e9e3194134a15ab8eafb3fd5f46167ed40e7fdb7c1c94f37de4f23acbb394f42c2229c2f16972c7e02a934bf5dc8e825379c815c51b2b8d40cc9485a2d29dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\sktwcrbcw.exe

Filesize
168KB

MD5
e0e19fe43a0197178e47411ecac579d9

SHA1
df75c86efc582b3ae29dc024f1daf6355a039ccb

SHA256
9c9a983c1bf4fa89f56449f43b4cee03f21c707e517da90ee010d43ccb451388

SHA512
ce1792cfa792130031e46888bed40ff70c3c1d5713d99daae220c598d8705adf7367638615081db9f9b50e41981514a36eb5a554e5373ff6adc12c73869f8800

Download Submit
memory/3068-8-0x0000000000B70000-0x0000000000B72000-memory.dmp

Filesize
8KB

Download