8a493236ca59271b4398d411e3a8f52149000a44958a25f754869978ee037e47

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DT0912.exe
Size

1.2MB
MD5

35605d52ce7729150f07f79a6d14a415
SHA1

f123414e65aef81242fa4cee2779de1a2a62d377
SHA256

7f5165dc64cbd376f256758989a91cf0600173d59f4384ad112a40dce8db530d
SHA512

20e14a0cb568d28d7d94ebbfa5a053fee8f547bc03b3c7888263d50f2438eed86d71959e8b0eb4d9b79c279fddc68cadc5da0e6be850f58fbbc497f3253b9ee2
SSDEEP

24576:iAOcZXp0TRXJFPJ0MK8WRyl/ZUkjPV99npuezy71oporahG:oFXPJ0MKzYhUkj9fZe6GJ

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DT0912.exe

Executes dropped EXE 1 IoCs

pid	Process
4768	xloxhh.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4768 set thread context of 5056	4768	xloxhh.pif	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
320	5056	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DT0912.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xloxhh.pif

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 4768	4716	DT0912.exe	83
PID 4716 wrote to memory of 4768	4716	DT0912.exe	83
PID 4716 wrote to memory of 4768	4716	DT0912.exe	83
PID 4768 wrote to memory of 4824	4768	xloxhh.pif	85
PID 4768 wrote to memory of 4824	4768	xloxhh.pif	85
PID 4768 wrote to memory of 4824	4768	xloxhh.pif	85
PID 4768 wrote to memory of 5056	4768	xloxhh.pif	86
PID 4768 wrote to memory of 5056	4768	xloxhh.pif	86
PID 4768 wrote to memory of 5056	4768	xloxhh.pif	86
PID 4768 wrote to memory of 5056	4768	xloxhh.pif	86

C:\Users\Admin\AppData\Local\Temp\DT0912.exe
"C:\Users\Admin\AppData\Local\Temp\DT0912.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Users\Admin\AppData\Local\Temp\2_101\xloxhh.pif
  "C:\Users\Admin\AppData\Local\Temp\2_101\xloxhh.pif" kjwo.mgn
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:4824
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:5056
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 80
      4⤵
      Program crash
      PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5056 -ip 5056
1⤵
PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2_101\nxvvj.ldr

Filesize
370KB

MD5
4042b086cf8df0770f753726e4b6c4b9

SHA1
14caa496049a1ba222eb941e12356cffff5d8b9e

SHA256
007258bb8950deeff87478499a383f83a206a54ac1e2368b80f9ffbab63ad4c6

SHA512
975cef0d39a894efd5c81f4931768ac5d37cab862992a8479d4ea239f854d48441ca9499bdf986eb6011ce3319ebacce8a418948e0f484d3581cff88ad39c88d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_101\usjhb.ini

Filesize
41KB

MD5
d448358249bf35da4ef7231b3be856e5

SHA1
833677b1b2a39ec3b24e72345e268297afa480ea

SHA256
ca8fdd6895dec6ffa46e980d83bcb4c51f31a04c73836b6afe33bb854c391c19

SHA512
c79e3ec6179a21226e9d4dcfef3446fe2e375f69522dfe21b52f6c369e82b7c15187ea84bb3db0fa3bca58be540cbeb81c7ad1ea2e5b4def03a401e8cc08ff1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_101\xloxhh.pif

Filesize
1.7MB

MD5
dd3466f64841cf21fc31f63f03dbfd29

SHA1
3878c8e52203d792c6f672595f7c78ab27ce3f04

SHA256
4fe3004208ed574521992dd1ba3d900b75a0f02f1d63ba1e531d309e85ffa06b

SHA512
adf3fe8378f7da5ba278db9a1df4cc7b5cff12398ec39ee7037382ebf57897de8bec72be64b5e7332bdb7ed865788dcb6ef4ceda6654e1153d39fe84b011b057

Download Submit