bf791a2f43ce7856ad76c87f06cb323735a92acb1a4f17f4c5a6ea93a973ab19

Analysis

max time kernel
32s
max time network
34s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
27-12-2024 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SamFlash.exe
Size

40.1MB
MD5

f12dbf95da6430daca5896cbf5f4d26d
SHA1

42ff929901a144495657f6103796292318173555
SHA256

66af486c43f75e1bb7951457dbb173b56bb48a03179cf2ea05820981737494f3
SHA512

020e310a2148ad206b44ddc6cf89d2b6a38d8da31a63bac403d9aa00ea388e4e2354d4e0b586dadace7031a11ab5f0b54a09e54c5cb26512b5765bed3bdd5ef6
SSDEEP

786432:WJgcU5/BFm0ErjlqaxBKiZhOmXtSM8OLaZr6B+M5rvPWdv4BNT:1c8BFmxjlq4KeV216BZxPk

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SamFlash.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
5256	SamFlash.exe
5256	SamFlash.exe
5256	SamFlash.exe
5256	SamFlash.exe
5256	SamFlash.exe
5256	SamFlash.exe
5256	SamFlash.exe
5256	SamFlash.exe
5256	SamFlash.exe
5256	SamFlash.exe
5256	SamFlash.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5256	SamFlash.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5256	SamFlash.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2688	MiniSearchHost.exe

C:\Users\Admin\AppData\Local\Temp\SamFlash.exe
"C:\Users\Admin\AppData\Local\Temp\SamFlash.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5256

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
76fbe77cbc68f3bd5f0decad25775716

SHA1
2ebc2dea0b2224ea73fb5413d94ad38218122bf3

SHA256
8d59129db45c9f234318144380c9d167d89a9faa8e2a6aede9b5a3bcfdf650b6

SHA512
1a5d850914bd033defe42de3a333c2a7497927a07289258acd5ec08e973b4ed45030b0f299d6da5bac16ad607ed471b3db52a5c9676a532ecaa0836682618230

Download Submit
C:\Users\Admin\AppData\Local\Temp\SamFlash.ini

Filesize
199B

MD5
72f84c992a3045205db7e219fdf9e659

SHA1
61c2cfe006c9a077ee338c722e4c1cad1f336c6b

SHA256
596fd8bab743b07443cc338793fa3342208039fb5a115ecd013685019afb3f2a

SHA512
d8b01015abbcdedebb9a5c467e0a02cb5987574344b9d52f46a66b1d4f5346f5ab378a7dbc3a682b128059cf44c4bdbe8941f82e8f6fe0d14774c0072d966613

Download Submit
memory/5256-16-0x000000000E0D0000-0x000000000E556000-memory.dmp

Filesize
4.5MB

Download
memory/5256-4-0x00000000285F0000-0x000000002AC56000-memory.dmp

Filesize
38.4MB

Download
memory/5256-17-0x0000000009C80000-0x0000000009CA0000-memory.dmp

Filesize
128KB

Download
memory/5256-5-0x0000000008790000-0x000000000882C000-memory.dmp

Filesize
624KB

Download
memory/5256-6-0x0000000009680000-0x0000000009C26000-memory.dmp

Filesize
5.6MB

Download
memory/5256-7-0x0000000008C50000-0x0000000008CE2000-memory.dmp

Filesize
584KB

Download
memory/5256-8-0x0000000008780000-0x000000000878A000-memory.dmp

Filesize
40KB

Download
memory/5256-9-0x0000000008EE0000-0x0000000008F36000-memory.dmp

Filesize
344KB

Download
memory/5256-10-0x000000001C7E0000-0x000000001DB5C000-memory.dmp

Filesize
19.5MB

Download
memory/5256-11-0x00000000090D0000-0x00000000095F4000-memory.dmp

Filesize
5.1MB

Download
memory/5256-12-0x0000000008FA0000-0x0000000009088000-memory.dmp

Filesize
928KB

Download
memory/5256-13-0x000000000BC30000-0x000000000BCC8000-memory.dmp

Filesize
608KB

Download
memory/5256-14-0x000000000AE20000-0x000000000B5F4000-memory.dmp

Filesize
7.8MB

Download
memory/5256-15-0x000000000B690000-0x000000000BA36000-memory.dmp

Filesize
3.6MB

Download
memory/5256-59-0x0000000074510000-0x0000000074CC1000-memory.dmp

Filesize
7.7MB

Download
memory/5256-3-0x0000000074510000-0x0000000074CC1000-memory.dmp

Filesize
7.7MB

Download
memory/5256-18-0x000000000E810000-0x000000000EA22000-memory.dmp

Filesize
2.1MB

Download
memory/5256-19-0x000000000EA20000-0x000000000ED77000-memory.dmp

Filesize
3.3MB

Download
memory/5256-20-0x0000000074510000-0x0000000074CC1000-memory.dmp

Filesize
7.7MB

Download
memory/5256-21-0x0000000074510000-0x0000000074CC1000-memory.dmp

Filesize
7.7MB

Download
memory/5256-22-0x000000000C3D0000-0x000000000C47A000-memory.dmp

Filesize
680KB

Download
memory/5256-23-0x000000000CF40000-0x000000000CFF2000-memory.dmp

Filesize
712KB

Download
memory/5256-24-0x000000007451E000-0x000000007451F000-memory.dmp

Filesize
4KB

Download
memory/5256-25-0x0000000074510000-0x0000000074CC1000-memory.dmp

Filesize
7.7MB

Download
memory/5256-26-0x0000000074510000-0x0000000074CC1000-memory.dmp

Filesize
7.7MB

Download
memory/5256-27-0x0000000074510000-0x0000000074CC1000-memory.dmp

Filesize
7.7MB

Download
memory/5256-2-0x00000000082F0000-0x000000000833C000-memory.dmp

Filesize
304KB

Download
memory/5256-1-0x0000000000FB0000-0x00000000037D4000-memory.dmp

Filesize
40.1MB

Download
memory/5256-57-0x00000000088D0000-0x0000000008936000-memory.dmp

Filesize
408KB

Download
memory/5256-0-0x000000007451E000-0x000000007451F000-memory.dmp

Filesize
4KB

Download