bd3ef02621b16846e829e9d7274553abfdeb189153a881c15b70f6e3b2f4ee8f

Resubmissions

07/02/2025, 12:37

250207-ptt65aslak 10

07/02/2025, 12:34

250207-prwl6sskak 10

07/02/2025, 12:31

250207-pqgfvssjcp 10

Analysis

max time kernel
149s
max time network
271s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
07/02/2025, 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payload.exe
Size

83KB
MD5

534f369ccf6412aedd991e525a1e72ff
SHA1

7ac06b4a71634ea87c47aa4d95debaea98728d59
SHA256

bd3ef02621b16846e829e9d7274553abfdeb189153a881c15b70f6e3b2f4ee8f
SHA512

fab8374a454d0cfe7b48439fb84337216056124889d8f882007fec18555cf97c96bbcbedaf59c3b56f25198c5dc00c7d0427f8fe72875c57538c54fdec7eb281
SSDEEP

1536:7eB1Gt0g5eEkG9WQcGDWX3xIEpmugSgytVlVqKu0UxYy0hAc:o1GtR1kG9WQnDWX3xIEpmsLRVqKnUxXB

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Payload.exe

Executes dropped EXE 1 IoCs

pid	Process
4252	dllhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 4252	736	Payload.exe	95
PID 736 wrote to memory of 4252	736	Payload.exe	95
PID 736 wrote to memory of 4252	736	Payload.exe	95
PID 4252 wrote to memory of 4828	4252	dllhost.exe	100
PID 4252 wrote to memory of 4828	4252	dllhost.exe	100
PID 4252 wrote to memory of 4828	4252	dllhost.exe	100

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4828	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:736
- C:\Users\Admin\AppData\Roaming\dllhost.exe
  "C:\Users\Admin\AppData\Roaming\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Users\Admin\AppData\Roaming\dllhost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
83KB

MD5
534f369ccf6412aedd991e525a1e72ff

SHA1
7ac06b4a71634ea87c47aa4d95debaea98728d59

SHA256
bd3ef02621b16846e829e9d7274553abfdeb189153a881c15b70f6e3b2f4ee8f

SHA512
fab8374a454d0cfe7b48439fb84337216056124889d8f882007fec18555cf97c96bbcbedaf59c3b56f25198c5dc00c7d0427f8fe72875c57538c54fdec7eb281

Download Submit
memory/736-0-0x0000000074892000-0x0000000074893000-memory.dmp

Filesize
4KB

Download
memory/736-1-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/736-2-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/736-13-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/4252-12-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/4252-14-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/4252-15-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download