cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bba

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
Size

193KB
MD5

cf7016c7901134c2660dc0880df500a0
SHA1

3d86e8fe7ff95be5c705b4e63a7c8d1bc0b95579
SHA256

cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bba
SHA512

64b8d3613a9075c0166148006a74865111f6729f00153474f7801fd20614057923924b2480ade357232d54d39f6de9d942f7f7452e56f6d2e7d58b208c90dfbd
SSDEEP

3072:sC5pS4ZmlxGHFdrKkojinHCo63Q77NPcO8I012sk/U6bOPQKZCl7dRz:HpS44lk7ojin0Q7JPA2Np6Pba

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
File created	C:\Windows\assembly\Desktop.ini	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
Token: 33	2656	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
Token: SeIncBasePriorityPrivilege	2656	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
Token: 33	2656	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
Token: SeIncBasePriorityPrivilege	2656	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
Token: 33	2656	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
Token: SeIncBasePriorityPrivilege	2656	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 64	2656	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe	84
PID 2656 wrote to memory of 64	2656	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe	84
PID 2656 wrote to memory of 64	2656	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe	84
PID 64 wrote to memory of 1780	64	csc.exe	86
PID 64 wrote to memory of 1780	64	csc.exe	86
PID 64 wrote to memory of 1780	64	csc.exe	86
PID 2656 wrote to memory of 3908	2656	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe	90
PID 2656 wrote to memory of 3908	2656	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe	90
PID 2656 wrote to memory of 3908	2656	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe	90
PID 3908 wrote to memory of 4028	3908	csc.exe	92
PID 3908 wrote to memory of 4028	3908	csc.exe	92
PID 3908 wrote to memory of 4028	3908	csc.exe	92

C:\Users\Admin\AppData\Local\Temp\cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
"C:\Users\Admin\AppData\Local\Temp\cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\idipufmo.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE9E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBE9D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1780
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wwaixcnq.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2C4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC2C3.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\IsolatedStorage\qlkpym5d.rs4\lwss2c4r.4g4\Url.vtncc2fscj0out3vrm4ob5ux5xw4n45f\AssemFiles\D1E02126\D\UGxhdGZvcm0gT1MgQml0bmVzczogNjQ=.bin

Filesize
8B

MD5
33cdeccccebe80329f1fdbee7f5874cb

SHA1
3da89ee273be13437e7ecf760f3fbd4dc0e8d1fe

SHA256
7c9fa136d4413fa6173637e883b6998d32e1d675f88cddff9dcbcf331820f4b8

SHA512
991294f43425a5b80f8a5907ca7cdbb611401282585a58bb415077005428e3b4c0f661fc07ba5c45f627bd8bdcb172389ce2fda461c029b837abc70f0abbea20

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBE9E.tmp

Filesize
1KB

MD5
f5cd1c93c93566351189197861532ce1

SHA1
91280d8d9ecefb1c3a7a9e08910c1c730d57762a

SHA256
6ed55906b2bdc3b8d0a6bfbaf79e78d4ab7c3773f6ed243be876243adba97f72

SHA512
1877bebf96100a833151332ec30e754bd5e488583a1d7945bb8847b2e29e239998aa04fa273ce739b008b2ed68834fc79805e6ee3a067411d99d9d6b2e0e61b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC2C4.tmp

Filesize
1KB

MD5
59f894481f0cdca7b44fc5747a422ead

SHA1
38e2c5c31a69602ace180ec0fcbaea53b5ce0854

SHA256
f4b5ec786f1d67a29115676cb78369546ec7d8c1ae31531befce75cb1d54e6a9

SHA512
ab8cb94533e21efcacf10e8e20049ca8bdc1893ed3e447ac4ab70bb2afdbd3fe5dcaa83601fb822d093930b76214e316f04fce4eb291fceed732bf9c3dd870ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\idipufmo.dll

Filesize
8KB

MD5
656b0a948310e8f4f41761684048dd42

SHA1
a2fb419bede04aad4002f2df2d3f6d3c83672225

SHA256
140ef855b6afc1212a911eaf641b5da167e328e957cac161393d11e805ea0b49

SHA512
662cc20f290d24f5cdf3187c9c710cc676850fc07615b87f061774d42315f2310a1af90737f39522db4562f7bf04efd1a304aa4327a7b5bf243206cf59bcdf06

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwaixcnq.dll

Filesize
9KB

MD5
4a7c62a88b320d13477161d40f8f4cb9

SHA1
73de02405e813fbf8be85b30d32a692494ec7da8

SHA256
d82a723f080ee85097afee6c5aff7b7f1405d2b3799b8654476d8548d3da71e4

SHA512
9c60590cef198d98fc5f59de08a8da16eab692de64a78e6fcad570361b81d345f3509a955de74886c57edfa5753068c43ea1a404eb1a66b1b600dbe958c02a47

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBE9D.tmp

Filesize
652B

MD5
2ea9cdda56c4169fa647b3ca9607db70

SHA1
04398697899e217da2d72f785ebe03a8d3b3d721

SHA256
81833fade8b2266d9a01ca9f150de36d6e709381a70225975063666b63eacbbf

SHA512
c2288665db92c9afe6b5159621d40c939df8bbed9e574fdd39c06f8c222ea09d1625a7d0e8732862c6eee6c989474eb764e46d7bd666cadf0d56bcbe91f72e97

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCC2C3.tmp

Filesize
652B

MD5
089b480adfa19b0ee227697beb81d73a

SHA1
749ddc9ad49052d767a2b5f7a6aa70e10ac110cd

SHA256
5bb72192ea7e987b7f491f25437bb69eb4413603a2597e8bdcac48a08d2a2d2e

SHA512
19f81d0de1535be5f6b244d1945c6094bac59aae1206e279cbea888a9dad79cfdd93276b719cd04d7a3f98b0ec564bdd1ee95da490846223a5f69ea940abb475

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\idipufmo.0.cs

Filesize
10KB

MD5
d2d7e4693e3a527e3e490ab95191a3c2

SHA1
a2c76d1cdc6368ec51dec206e5c69c9db17c4841

SHA256
659ca8074c55b3167fff69c3eda03a5a732b7f661601f67630aac967d1830b92

SHA512
be84a53402b1f0d561141f3c9e0ce9f312382ba43d7af9982855cfd065e2bc44f031e4ea2ffa4d31ee627c132d0feb1d3771e03fd2b968c8216027f399abd247

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\idipufmo.cmdline

Filesize
638B

MD5
ae1f4ffab16246d118b69d04ea96c489

SHA1
c4baf20b4b3e9434bf4c81cd5cf5c5c13b8b566e

SHA256
bfd9da4779b4daee5128aa1a142161af253bb27c02a01a45e8f780dc0746659a

SHA512
b5c0c74da5a1177d1ac7a93c0a24fa9465c6dc032242dfcaa68a7a75673727847f9ffcd3810aed3bcd1d2444f9a0d0f6197f92b0505b211121ce2ea16f447405

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wwaixcnq.0.cs

Filesize
11KB

MD5
a5359f077b9b324b5f0953bc55071e9e

SHA1
2a7cb4f22878ce0fa8e90a9165b332c25c216970

SHA256
fa191fae6a54369b819faf5ec718ac90775217fe091aa127fb42545fba150f38

SHA512
ec967b6c7a32d4111d7d1ea6ac6d0b175298c32fcfa16d7cff2c7c9ea7362bce07a6e3afa88d52cbc9868b9a0b3cf2b85d42925afd064827cf2c3d67920c976c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wwaixcnq.cmdline

Filesize
638B

MD5
be89a5fa9df2a2695eda8f7f93ea3dc7

SHA1
6272bdba3e682af7c16a17e5950ea870b35d39c9

SHA256
be4bd505849f38c54ed5f959050015eb9a4c2920e5ee27a164555dda24c493e5

SHA512
6417fd6c61d5ad7defa2a3907a5387f0d60afabb302619348da4265bdd55eeaaa4c4e18c4a07c150203f98f660b65411b63a4b12dc3372a986ecc111c32288ed

Download Submit
memory/64-34-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/64-27-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2656-0-0x00000000745E2000-0x00000000745E3000-memory.dmp

Filesize
4KB

Download
memory/2656-11-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2656-26-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2656-25-0x00000000745E2000-0x00000000745E3000-memory.dmp

Filesize
4KB

Download
memory/2656-10-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2656-46-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2656-2-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2656-1-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2656-54-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/3908-48-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/3908-50-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download