bb80103ac259b0a260fe3fabea6c6ceedf4286f43b24665a9ec30bc1b19bd267

Analysis

max time kernel
60s
max time network
44s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Files/07610c4fda6b5d6e8920d8da44a58213ef6c4309c794978477e81ed50f885150.exe
Size

1.1MB
MD5

d444a977328b0f1b5e792a794ccd9fd0
SHA1

32a67b71ebb303ee25928a1eb76c548d384589b8
SHA256

07610c4fda6b5d6e8920d8da44a58213ef6c4309c794978477e81ed50f885150
SHA512

d71d6e38ab5a6b0bfead3f288f4202550a46991b02fda710c026248de66fe8b4d5ae7767018671413deee3d3a92a3a5934be1a95ff1e3909fecdb9b7cb0ec9e7
SSDEEP

24576:ru6J33O0c+JY5UZ+XC0kGso6FajYuNaeNAymutbrfYJfIcWY:Fu0c++OCvkGs9FajYulNZvJUfiY

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 212 set thread context of 3036	212	07610c4fda6b5d6e8920d8da44a58213ef6c4309c794978477e81ed50f885150.exe	90

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07610c4fda6b5d6e8920d8da44a58213ef6c4309c794978477e81ed50f885150.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
212	07610c4fda6b5d6e8920d8da44a58213ef6c4309c794978477e81ed50f885150.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
212	07610c4fda6b5d6e8920d8da44a58213ef6c4309c794978477e81ed50f885150.exe
212	07610c4fda6b5d6e8920d8da44a58213ef6c4309c794978477e81ed50f885150.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
212	07610c4fda6b5d6e8920d8da44a58213ef6c4309c794978477e81ed50f885150.exe
212	07610c4fda6b5d6e8920d8da44a58213ef6c4309c794978477e81ed50f885150.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 3036	212	07610c4fda6b5d6e8920d8da44a58213ef6c4309c794978477e81ed50f885150.exe	90
PID 212 wrote to memory of 3036	212	07610c4fda6b5d6e8920d8da44a58213ef6c4309c794978477e81ed50f885150.exe	90
PID 212 wrote to memory of 3036	212	07610c4fda6b5d6e8920d8da44a58213ef6c4309c794978477e81ed50f885150.exe	90
PID 212 wrote to memory of 3036	212	07610c4fda6b5d6e8920d8da44a58213ef6c4309c794978477e81ed50f885150.exe	90

C:\Users\Admin\AppData\Local\Temp\Files\07610c4fda6b5d6e8920d8da44a58213ef6c4309c794978477e81ed50f885150.exe
"C:\Users\Admin\AppData\Local\Temp\Files\07610c4fda6b5d6e8920d8da44a58213ef6c4309c794978477e81ed50f885150.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\SysWOW64\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\07610c4fda6b5d6e8920d8da44a58213ef6c4309c794978477e81ed50f885150.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autB7D6.tmp

Filesize
282KB

MD5
d4281853a0d97ad5259ca9721bbe84e7

SHA1
4ff00025186f96e05341188ace6be7b10efcb48c

SHA256
71b0bf07a7d04e707ce9910f808ad3d77f56c6eb1c1c21ff3f62b45c3b7f553f

SHA512
45a564fad1caa52bdb34c087385f1cdb74434c31a293733aafae4e87d687c59739a3ab699b89d262707b006c9b5843feb3febfc65211bb51e375fb79715b1042

Download Submit
memory/212-8-0x0000000001140000-0x0000000001540000-memory.dmp

Filesize
4.0MB

Download
memory/3036-9-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3036-11-0x0000000001400000-0x000000000174A000-memory.dmp

Filesize
3.3MB

Download
memory/3036-10-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3036-12-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download