e764f6e7bdb61df66914dcf9787d1bd6b738f1bd1f13320d57f44362c2ef676e

Analysis

max time kernel
93s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO 20002001.exe
Size

297KB
MD5

0ea5a94cd963591f731b5f460371e159
SHA1

1b3528c85a3a965106e2d81361d103c0833bf126
SHA256

ff4cff76876cda952a48855396ca07f5fb5216a5df0efd10c9701c135552703c
SHA512

577548cdbd08cc58bba5f08bdf25312d55395b9105334adbfbed3a5cf4d0e549ee4e0c9f0eb07e4f25c8246733f6d352e6c3af811669948905e0cc3d4f9e7aa4
SSDEEP

6144:dNeZ6Ej0A8ksOkFgZNK3ZPVQ8xqP2vYniHUPKI66gc:dNkjZsOkSZNKJPeJ3nS+

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4980	bwfjco.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO 20002001.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwfjco.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 4980	3016	PO 20002001.exe	83
PID 3016 wrote to memory of 4980	3016	PO 20002001.exe	83
PID 3016 wrote to memory of 4980	3016	PO 20002001.exe	83

C:\Users\Admin\AppData\Local\Temp\PO 20002001.exe
"C:\Users\Admin\AppData\Local\Temp\PO 20002001.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\bwfjco.exe
  "C:\Users\Admin\AppData\Local\Temp\bwfjco.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\achjhvsdh.azq

Filesize
4KB

MD5
7bd0fac8e7e5459381be70375c4c9dce

SHA1
8caac83cadcc9bcbef3c52c39bcbd96d2c1fa5ec

SHA256
b1d32cbf786ae8134a383e9d65da1a8a258fcb821c4ede9917a45aee318ec6c8

SHA512
e20f4c4515bba6d028c7a273ecb100e145d56344f30f0ddbf5400f34e7ce83081636f4f4ade3227565609583cce7a4a2ee564717fcf2ec2a295230f22a613660

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwfjco.exe

Filesize
6KB

MD5
9c52ec38c352cd19ae28913fe206a5b3

SHA1
a79300b49a4f1cce8db98515f79759a51bae664b

SHA256
5cb816f8eec3869aba2eec928f0a2c212b55658ae4d0f58ccfe5dbee87ba47de

SHA512
efa5c0060a217a2a8d5a811d0895dfe52ec4cc7213218d7abd09f1a3a621b828015df4c7adcd26ca71f776610ad9a46a710114297a5a76411cd22850675e0a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\shvpsv.be

Filesize
185KB

MD5
d19b92cc62122dcaf130832ec21246e1

SHA1
e3e63fa4982dcce0227939e80e34ad3641eb7ff6

SHA256
d04d38a866be7fa623450edc018e90f6c7d671fec29310f6771e2f4b7c9dcb98

SHA512
dad7e263853e1cb1f1dab2734b97bb7d498f87a017054a80dd0ba07746fb8d16d03db57815cc6d6ecf1e10a544a5560edd1a4ab2ef594539935a2d253ef9043a

Download Submit
memory/4980-8-0x00000000012A0000-0x00000000012A2000-memory.dmp

Filesize
8KB

Download