e7706dd5f9b91a20bc5881f9efd75af166942828a426879343df9454f767ece9

Resubmissions

23-01-2025 15:13

250123-sl31vatmct 10

23-01-2025 15:12

250123-slbllavndp 7

Analysis

max time kernel
17s
max time network
19s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
23-01-2025 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CrackNursultan (2).exe
Size

2.1MB
MD5

e9b8ce25037c26fe63171b24f06d04ec
SHA1

e33459bc02a1cd4824bb9f44c89b05dce7e20cec
SHA256

e7706dd5f9b91a20bc5881f9efd75af166942828a426879343df9454f767ece9
SHA512

ace3e8a023c6247b4e52cd09560c7c7f45af357dcaa14f26452741cddb2d09d94816b0e6bc79edefb03aa6e169385f0dfd039feba0e781a0e0884a3859100ef4
SSDEEP

24576:2TbBv5rUyXVs/ZFmQyOMPaRILC9j5oaKACNnAuuyGf2YnSeqjEwJdAXf0YaHssOq:IBJ8zAE9x5KNlueYSKdPNBp1rsvf

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000\Control Panel\International\Geo\Nation	CrackNursultan (2).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CrackNursultan (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings	CrackNursultan (2).exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3296 wrote to memory of 4432	3296	CrackNursultan (2).exe	83
PID 3296 wrote to memory of 4432	3296	CrackNursultan (2).exe	83
PID 3296 wrote to memory of 4432	3296	CrackNursultan (2).exe	83

C:\Users\Admin\AppData\Local\Temp\CrackNursultan (2).exe
"C:\Users\Admin\AppData\Local\Temp\CrackNursultan (2).exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\bridgeMsHyperServersaves\8aU1Ht2JGPOaPOAacGdrdRd2tVHIcbmBVM.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\bridgeMsHyperServersaves\8aU1Ht2JGPOaPOAacGdrdRd2tVHIcbmBVM.vbe

Filesize
231B

MD5
ee9dbcbdf3bea0aa067657fc427f311d

SHA1
2fa9586b66a720bde1de53a8f3748f2b3488b7bc

SHA256
db75336fe141a767a78d6461ff1ad7b1366edc73c8c220d1aa9e1a5338d82793

SHA512
4db077f0bc0bdf24b32e4c1b2d43ce1f65666d68d4762090e54534b8b47ded35855d304599eaef35d44531604577d120a98859aa9759d68421350805dd0e1313

Download Submit