ca19432da459c894d6886030b078a5a132fa244aaaff0433f95bf888b586530d

Analysis

max time kernel
95s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3824f68042b243ff952a0184baaca8ede5c254821a8ec8e8be9fa86224ddbc55.exe
Size

337KB
MD5

1e9e125ed34109f2c640b25538185cac
SHA1

89faa5b5789eb1633ca74ee15d34c16c0b0cf174
SHA256

3824f68042b243ff952a0184baaca8ede5c254821a8ec8e8be9fa86224ddbc55
SHA512

b5a98b361d7006b12570b15ef28d5fdc41f274db6e95e9eea7ec6f08736676b630ad2bb0347aecb7bca9433a5f31eafa6f3bd72dd504ec4ec61dc01e06d0c1ee
SSDEEP

6144:rGiPGY4OddUWhpyRJ5Q/cd78kxpAX1F1NIyEA29o7EJYUlhZIzPW:yY4Opyb5Q/cV8kxGX1FMaFEJVpcW

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
644	kczbgk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3824f68042b243ff952a0184baaca8ede5c254821a8ec8e8be9fa86224ddbc55.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kczbgk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 644	2372	3824f68042b243ff952a0184baaca8ede5c254821a8ec8e8be9fa86224ddbc55.exe	85
PID 2372 wrote to memory of 644	2372	3824f68042b243ff952a0184baaca8ede5c254821a8ec8e8be9fa86224ddbc55.exe	85
PID 2372 wrote to memory of 644	2372	3824f68042b243ff952a0184baaca8ede5c254821a8ec8e8be9fa86224ddbc55.exe	85
PID 644 wrote to memory of 4932	644	kczbgk.exe	86
PID 644 wrote to memory of 4932	644	kczbgk.exe	86
PID 644 wrote to memory of 4932	644	kczbgk.exe	86

C:\Users\Admin\AppData\Local\Temp\3824f68042b243ff952a0184baaca8ede5c254821a8ec8e8be9fa86224ddbc55.exe
"C:\Users\Admin\AppData\Local\Temp\3824f68042b243ff952a0184baaca8ede5c254821a8ec8e8be9fa86224ddbc55.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\kczbgk.exe
  C:\Users\Admin\AppData\Local\Temp\kczbgk.exe C:\Users\Admin\AppData\Local\Temp\izlci
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:644
- - C:\Users\Admin\AppData\Local\Temp\kczbgk.exe
    C:\Users\Admin\AppData\Local\Temp\kczbgk.exe C:\Users\Admin\AppData\Local\Temp\izlci
    3⤵
    PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bq9us3yoko0kt

Filesize
211KB

MD5
0f791ef8faf6091b8669f3e5b2adbcd8

SHA1
e2bfa7ea56a168a47cc109eade62a8218b0b2270

SHA256
7f706d371f83e83437ae340a4242ee3af096f2ba5f22baa0a51be2dedb8a0eac

SHA512
ace9176527a9b0a93fe217395abbb695004271eb65581cb5175a6e662d7d0412dcafff0f68a5e127ba88f78cdf04f768b35ce73aa5d90fe032b1012eb82dd7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\izlci

Filesize
4KB

MD5
61c47d1e8fc4a14c3433e98be9607abc

SHA1
2d1a5e8ffb4845488ecf41926ef79c1a7fdfc025

SHA256
ab8e7743f47f6443df4a96f275ae101167e8a5bbf13b268db7181d43fd7fb5b3

SHA512
5a1c176f172800a49c8d16597b3516153707310b34c6220d79c1f06923ac0d2c2f3efc5586570d9001d86db1f31c281746a98a0200db4861439d680cc6890925

Download Submit
C:\Users\Admin\AppData\Local\Temp\kczbgk.exe

Filesize
177KB

MD5
0bf3e785b6a7a0c1ae07417cbf290121

SHA1
5cf19f555dc7ed6eefa74285e95ca7b396855793

SHA256
bd0b5a7be527aa878536fa7f40dcff283a51a7138109efaf2a44440b235a0ab5

SHA512
d83ab29b90b2f07d8125d5452a113ab43dffd88a423003e0a53d5937549ef7d04b4e994a8b2520637651d46080c98c8a3bea2916c1dccb42f6f97cf966ce81cb

Download Submit
memory/644-8-0x0000000001210000-0x0000000001212000-memory.dmp

Filesize
8KB

Download