73d8883e0c48b932a6bcb66795f03b50942be0d56e2e502743b14e11db961fa9

Analysis

max time kernel
95s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73d8883e0c48b932a6bcb66795f03b50942be0d56e2e502743b14e11db961fa9N.exe
Size

192KB
MD5

2a88d8c910326d95e008aa92c13929e0
SHA1

bed76d661c462730d20c7b249b5827b6128af4d0
SHA256

73d8883e0c48b932a6bcb66795f03b50942be0d56e2e502743b14e11db961fa9
SHA512

69b40e600415b5be73f8fed30c8ec03ff424c1a6e2cc5170f4ab58f1fa4e3270aea96e83167928452568df1e215e4585337b757b299aadf505242c1cc7e4390b
SSDEEP

6144:GNeZmUgf4BuF1ZOif+9mhTjbUgttnj6taxzv:GNlUoyIL9Z3UQnj6gv

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3388	sjirvufszz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73d8883e0c48b932a6bcb66795f03b50942be0d56e2e502743b14e11db961fa9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sjirvufszz.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 3388	2820	73d8883e0c48b932a6bcb66795f03b50942be0d56e2e502743b14e11db961fa9N.exe	85
PID 2820 wrote to memory of 3388	2820	73d8883e0c48b932a6bcb66795f03b50942be0d56e2e502743b14e11db961fa9N.exe	85
PID 2820 wrote to memory of 3388	2820	73d8883e0c48b932a6bcb66795f03b50942be0d56e2e502743b14e11db961fa9N.exe	85
PID 3388 wrote to memory of 2296	3388	sjirvufszz.exe	86
PID 3388 wrote to memory of 2296	3388	sjirvufszz.exe	86
PID 3388 wrote to memory of 2296	3388	sjirvufszz.exe	86

C:\Users\Admin\AppData\Local\Temp\73d8883e0c48b932a6bcb66795f03b50942be0d56e2e502743b14e11db961fa9N.exe
"C:\Users\Admin\AppData\Local\Temp\73d8883e0c48b932a6bcb66795f03b50942be0d56e2e502743b14e11db961fa9N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\sjirvufszz.exe
  C:\Users\Admin\AppData\Local\Temp\sjirvufszz.exe C:\Users\Admin\AppData\Local\Temp\pmlgrqmhoc
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Users\Admin\AppData\Local\Temp\sjirvufszz.exe
    C:\Users\Admin\AppData\Local\Temp\sjirvufszz.exe C:\Users\Admin\AppData\Local\Temp\pmlgrqmhoc
    3⤵
    PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ki7qd8tlalvzrhr72jcr

Filesize
163KB

MD5
b490ced5f8f3ae2d743806c5b2257a8f

SHA1
f6da53053f556695d5a42f6ea9082083c3998664

SHA256
62170b9f7aa6bba7bc6673e44655c92f7a6eb70ee7c048ba966f8eb2bc38379a

SHA512
1be69088f3580b4e83fcaa8d1285ce29e2ce4af92b98b05a3b4d1cfa22cbc879d793beb84a63fc382bef1b32255ec6b17aed6a3c466cd519e2dcb7acb2290776

Download Submit
C:\Users\Admin\AppData\Local\Temp\pmlgrqmhoc

Filesize
5KB

MD5
e8ff72a14022a6986681f60711c68562

SHA1
7400b827cf9658c57ed8706a31bfa2423cfaf1a1

SHA256
a2bd1323fca2dd540fb09b147952759f31f687a9d34179532afd177fd38c3685

SHA512
392fe1895fb12f7cb4aa8f815b2be83d27523e82ef0df300f90ed3c9262cb40f9b78cb5b1e6684725c55ab302f9ec5a8fc25d9703a636d3e05d015a49559e925

Download Submit
C:\Users\Admin\AppData\Local\Temp\sjirvufszz.exe

Filesize
4KB

MD5
babae7abb31dcd1f94e811c758fdd33e

SHA1
0304a302eeff58291ab8f0f665059c2e422cb4da

SHA256
32b60827026569821e8f671a1e180e2162584383ddbec8f979acc1a0141cfaaf

SHA512
b8d0c4b38d04e204a2dff740c5634e548d9082a1cb1ffb55d40d78bd704efbc1b919f146867381718acfd680f93676c35f1cb74e6374b706daaeb8947c0777c8

Download Submit
memory/3388-8-0x00000000005A0000-0x00000000005A2000-memory.dmp

Filesize
8KB

Download