2e96258f3dd21d059f59831295d32d324a849c87bc5a2149a49c97fcf5783558

Analysis

max time kernel
90s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-25/unknown-e1ffabc651f471b8d4141420d8e171310bc91a400462062ca96f6ac202a0a896.exe
Size

380KB
MD5

f6801450c785d0873122146b2abac250
SHA1

00155ae2e2fb6221d54a02a6a37fba248361f991
SHA256

e1ffabc651f471b8d4141420d8e171310bc91a400462062ca96f6ac202a0a896
SHA512

1ede9e2a8ceb52b1a704453ef6c75075adf62dbbfc338d20d2e999fb06e95bf1ce4c1660dc6f6142e96f10dd6a7dabc5d69ab12c38fef683541455c49d33d064
SSDEEP

6144:PqQ1fKF0S3RN6GEFxim4SlcBjWMDibbn9o5v+Tk/M+b85BkAXP41ON2NMGEMh2Fa:PqMf4Ki59p/ML3FMhCQvjhZ3Rh

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3252	Applications.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\DirectSetup\Applications.exe	unknown-e1ffabc651f471b8d4141420d8e171310bc91a400462062ca96f6ac202a0a896.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unknown-e1ffabc651f471b8d4141420d8e171310bc91a400462062ca96f6ac202a0a896.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Applications.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5096	unknown-e1ffabc651f471b8d4141420d8e171310bc91a400462062ca96f6ac202a0a896.exe
5096	unknown-e1ffabc651f471b8d4141420d8e171310bc91a400462062ca96f6ac202a0a896.exe
5096	unknown-e1ffabc651f471b8d4141420d8e171310bc91a400462062ca96f6ac202a0a896.exe
5096	unknown-e1ffabc651f471b8d4141420d8e171310bc91a400462062ca96f6ac202a0a896.exe
3252	Applications.exe
3252	Applications.exe
3252	Applications.exe
3252	Applications.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 3252	5096	unknown-e1ffabc651f471b8d4141420d8e171310bc91a400462062ca96f6ac202a0a896.exe	83
PID 5096 wrote to memory of 3252	5096	unknown-e1ffabc651f471b8d4141420d8e171310bc91a400462062ca96f6ac202a0a896.exe	83
PID 5096 wrote to memory of 3252	5096	unknown-e1ffabc651f471b8d4141420d8e171310bc91a400462062ca96f6ac202a0a896.exe	83

C:\Users\Admin\AppData\Local\Temp\2024-12-25\unknown-e1ffabc651f471b8d4141420d8e171310bc91a400462062ca96f6ac202a0a896.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-25\unknown-e1ffabc651f471b8d4141420d8e171310bc91a400462062ca96f6ac202a0a896.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Program Files\DirectSetup\Applications.exe
  "C:\Program Files\DirectSetup\Applications.exe" "33201"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DirectSetup\Applications.exe

Filesize
380KB

MD5
35a515bc518b4acc0cb18d65a2d43dd7

SHA1
3f2339622e913daca92721e1122a4d4efa1a0cf9

SHA256
c7743c8fd8d8a348226716c39d4dd780582aaac9beeccf82c37e2a9cde5b3660

SHA512
a138e8c59098e7d085f4695866c53309f9290103cb20c887688e3cc89616b3cbe489faff41df4a870d769692a5cd96cd165698d0f68845aadc4fa7c0b349593a

Download Submit