cef37f3296f9a9d61a760a045c5ac55bd1110fee4ee9827aced0069981bc0dbe

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

167f095c678aad5d26949f46d21bd2bc07744b09968d780e310484b42404580e.exe
Size

260KB
MD5

c12a88137a0676ae55c4c77d5d4932d0
SHA1

2f1686c543ed90281fc983e95123e8f6c7a9dce9
SHA256

167f095c678aad5d26949f46d21bd2bc07744b09968d780e310484b42404580e
SHA512

d3a81c4aae6f5863ed368648f0440f75397e3f2ac60c507f37b58250db42dcf192ba701b0cfb10d98b1bd98d9785761ad37c803a4b2837e45e77df3fc6c86a63
SSDEEP

6144:HNeZmwzYdsGNMiVdbU0Qvoro999xhgA2NhHk7+dkTLhuAT:HNl97LGDrhJBr

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1380	hgwblnwgct.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	167f095c678aad5d26949f46d21bd2bc07744b09968d780e310484b42404580e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hgwblnwgct.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 1380	3092	167f095c678aad5d26949f46d21bd2bc07744b09968d780e310484b42404580e.exe	83
PID 3092 wrote to memory of 1380	3092	167f095c678aad5d26949f46d21bd2bc07744b09968d780e310484b42404580e.exe	83
PID 3092 wrote to memory of 1380	3092	167f095c678aad5d26949f46d21bd2bc07744b09968d780e310484b42404580e.exe	83

C:\Users\Admin\AppData\Local\Temp\167f095c678aad5d26949f46d21bd2bc07744b09968d780e310484b42404580e.exe
"C:\Users\Admin\AppData\Local\Temp\167f095c678aad5d26949f46d21bd2bc07744b09968d780e310484b42404580e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Users\Admin\AppData\Local\Temp\hgwblnwgct.exe
  "C:\Users\Admin\AppData\Local\Temp\hgwblnwgct.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hgwblnwgct.exe

Filesize
74KB

MD5
4111e78e1b2f65a6c9cde6a549d337d9

SHA1
f3ab87fc6678f1f6f676fa3243dedb0728832dbc

SHA256
d45f7a637f385cac3c1b519a702d02fbf8d0bbfb883f87454ba352a4fec32bf4

SHA512
9c7cdefd0b3712210a1bd31df9306fe1cb371b242dd2c45d3f7365d7e202a046733e8b2645f41f7dd30149f6a12b1687442778fc0abe72c94b6f1958bf1719ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\lvpesoyw.yc

Filesize
185KB

MD5
c5d2384b9de3cdebe56596bce22fa46f

SHA1
7a59777449fb7e01f3619962230389e84d5bf02b

SHA256
dda566842b6138f181749831a47faeec97d3f419e6d69baeb6cd700b53803249

SHA512
97a278b14834f56d2b0f86c164f2df1250cfcc3584f6d6fca59c8df724c9acdafcf55581a9764d0c2155171796b171814cb152730a889675e241c7c702038175

Download Submit
C:\Users\Admin\AppData\Local\Temp\mbtxgrmn.qkn

Filesize
4KB

MD5
8fc77382a36e77da8bbe5fc266303940

SHA1
d4ef21eb553df4adadf42d15950a57364f8ce7ed

SHA256
768c14fb09a5fd7c789accdc8ccd6d07c2d1569f70dc48d68981b796f7725cdc

SHA512
60be2161a5643db5fddd735dd06220527033b17e83beef08f4ba6c08a69f62fc0c6232c6be73af4cc790a2429859a905170004287378d2b0f2fa41252a8eaf69

Download Submit
memory/1380-8-0x0000000000D50000-0x0000000000D52000-memory.dmp

Filesize
8KB

Download