5e5d5458b8a025c2bc9a6e7998492989732967c9a1019b11d655200adf3686c7

Analysis

max time kernel
116s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

820e99e0735f8d9d1de08e386589c506.exe
Size

15KB
MD5

820e99e0735f8d9d1de08e386589c506
SHA1

335b44f3ea73fc36519ca1f823f3afd7ce2c64dd
SHA256

701b77e509df1ce240271f9cc9ac874df64e593e0eb8f3cd207db9dcebbc22bc
SHA512

378353ffdafa706600a0a6c2efcf0bfa0d2d6eec948557a31667d9de2fccae6ac3fe735730ce4ed38210526834cfbdb1f549f48337cde2615d4cee3e78fc3e54
SSDEEP

384:8MrJk6GClRZt9qGOVNJk7ha4H949dyNx:hk6pRZPrOVh4H9wQx

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	820e99e0735f8d9d1de08e386589c506.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	820e99e0735f8d9d1de08e386589c506.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1540	cmd.exe
1776	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1776	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 4056	768	820e99e0735f8d9d1de08e386589c506.exe	95
PID 768 wrote to memory of 4056	768	820e99e0735f8d9d1de08e386589c506.exe	95
PID 768 wrote to memory of 4056	768	820e99e0735f8d9d1de08e386589c506.exe	95
PID 4056 wrote to memory of 2300	4056	csc.exe	97
PID 4056 wrote to memory of 2300	4056	csc.exe	97
PID 4056 wrote to memory of 2300	4056	csc.exe	97
PID 768 wrote to memory of 1540	768	820e99e0735f8d9d1de08e386589c506.exe	98
PID 768 wrote to memory of 1540	768	820e99e0735f8d9d1de08e386589c506.exe	98
PID 768 wrote to memory of 1540	768	820e99e0735f8d9d1de08e386589c506.exe	98
PID 1540 wrote to memory of 1776	1540	cmd.exe	100
PID 1540 wrote to memory of 1776	1540	cmd.exe	100
PID 1540 wrote to memory of 1776	1540	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\820e99e0735f8d9d1de08e386589c506.exe
"C:\Users\Admin\AppData\Local\Temp\820e99e0735f8d9d1de08e386589c506.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sylgdxma\sylgdxma.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB258.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA921F1C712744869851EF2DA895347.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2300
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\820e99e0735f8d9d1de08e386589c506.exe" & move "갌갎갮갗감갘갡갣갅갏갃.exe" "C:\Users\Admin\AppData\Local\Temp\820e99e0735f8d9d1de08e386589c506.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB258.tmp

Filesize
1KB

MD5
f38105163234aea5d471f253754050e7

SHA1
61f425760751781f527dc2d4e9313731ad70376d

SHA256
e2554492e6a2ab1082cf539dbfec1f602454d74276eb06aa351b3cdbd33689d4

SHA512
e262c3b724cf2d9a8bd49c98ed9c969078b586a1dcbbbc05ceacbc2b801113e8f05ff1099f3ccb6db77ac4bbc159f0d2d35e5979b162556f837d93a72e0d9110

Download Submit
C:\Users\Admin\AppData\Local\Temp\갌갎갮갗감갘갡갣갅갏갃.exe

Filesize
15KB

MD5
71f08f4b3d996724a4f6bd119268cc85

SHA1
3f4d605ec85822e87bb5c0260da4f6d52db34621

SHA256
7814a50f81d34362fdb68407dcb42067e57f6ae1d370889cf8ef694288328248

SHA512
94de38d430a68140c98a4b70ce0a6c5580c733b54dcfe64955affca88fc4af5ba5c2c0eec5c02559b1591edbeeef5d0369de312304b7d08ee46d8ce3853c5b1b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA921F1C712744869851EF2DA895347.TMP

Filesize
1KB

MD5
7ca24324e4d094e6c51fdd032b9a3230

SHA1
dd97dbe9529fa2043a9479a09016a21a20c2b1bc

SHA256
083ca1142798ecd412b3ebc38ee1feb93a3bf61cbd5d7910ce2304ad0db93e97

SHA512
b71c79e6e5a202208ede703567d78b0929f0d33e9ed3706eadd666d30f54ac0059f3be8ef60c0e8dc6d857f0fb33a3e5b9c3768fe959ea950c46ecb7a40de174

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sylgdxma\sylgdxma.0.cs

Filesize
25KB

MD5
9c14a6361d91c606b5a9186176f51ecd

SHA1
6c7886b5d3b8221d0883c00d7397b6a19f7b0a4f

SHA256
9d1f88114cfd05c7525e1d295711c418fdcf1f19c43ed9ce8a13b6d306ecde03

SHA512
e744a4a5183efc07b2454f611c46ecc16b006a14235c2a28bb810c73844590c197a5fda5b0b6c6e1411b4fa9ec3c5787b528ffa1c6dd7eaf47ebcb877a6787e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sylgdxma\sylgdxma.cmdline

Filesize
293B

MD5
4cbd86b7c417636c09521b057572e100

SHA1
7ddd23e5fb94b767bb8457c5318621fa56a77833

SHA256
a78786327b2e499ba78d62f5c8e40f495f8132377782b949a148d9ee94626eb3

SHA512
7e7953f9e6276a7252d694ec5c539bef96a00e36950d2225f1a0812d4e5c9ef773d9c8552f91cefbba271b28da84298f829101f7983f61a98ab34313a239ed8e

Download Submit
memory/768-5-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/768-0-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

Filesize
4KB

Download
memory/768-4-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/768-3-0x0000000004D80000-0x0000000004D88000-memory.dmp

Filesize
32KB

Download
memory/768-2-0x0000000005300000-0x00000000058A4000-memory.dmp

Filesize
5.6MB

Download
memory/768-1-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/768-18-0x0000000004E70000-0x0000000004E7A000-memory.dmp

Filesize
40KB

Download
memory/768-23-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads