24ccaeb6ce00f29856e30175a712a74d6b3db3bd511f368e6223d20e36bbcc7d

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be8784e7ac9c7165b014a0ba97a2c8b0N.exe
Size

3.0MB
MD5

be8784e7ac9c7165b014a0ba97a2c8b0
SHA1

ba2f2a29c3cc6fb2986782ab32010fa5bf1083a3
SHA256

24ccaeb6ce00f29856e30175a712a74d6b3db3bd511f368e6223d20e36bbcc7d
SHA512

0fa02d25bf0c98c7811ed0b0bb1cc9631f7b12dfd1b33470a6624b1d3dac7fa15bfa40150a8635bc2e98da84b84d6452b4f48500d3ff1d65f4702d6f7795b545
SSDEEP

24576:2dfsbEpVcnZ58a/ZS2JovBYzJLVxZITvKMMMvQAM2BYRcBoA1/LhAggkesqOBGhn:01qZ58gnLqrXgiYAqxem

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2980	be8784e7ac9c7165b014a0ba97a2c8b0N.exe

Executes dropped EXE 1 IoCs

pid	Process
2980	be8784e7ac9c7165b014a0ba97a2c8b0N.exe

Loads dropped DLL 4 IoCs

pid	Process
2400	be8784e7ac9c7165b014a0ba97a2c8b0N.exe
316	WerFault.exe
316	WerFault.exe
316	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
316	2980	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be8784e7ac9c7165b014a0ba97a2c8b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be8784e7ac9c7165b014a0ba97a2c8b0N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2400	be8784e7ac9c7165b014a0ba97a2c8b0N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2980	be8784e7ac9c7165b014a0ba97a2c8b0N.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2980	2400	be8784e7ac9c7165b014a0ba97a2c8b0N.exe	31
PID 2400 wrote to memory of 2980	2400	be8784e7ac9c7165b014a0ba97a2c8b0N.exe	31
PID 2400 wrote to memory of 2980	2400	be8784e7ac9c7165b014a0ba97a2c8b0N.exe	31
PID 2400 wrote to memory of 2980	2400	be8784e7ac9c7165b014a0ba97a2c8b0N.exe	31
PID 2980 wrote to memory of 316	2980	be8784e7ac9c7165b014a0ba97a2c8b0N.exe	32
PID 2980 wrote to memory of 316	2980	be8784e7ac9c7165b014a0ba97a2c8b0N.exe	32
PID 2980 wrote to memory of 316	2980	be8784e7ac9c7165b014a0ba97a2c8b0N.exe	32
PID 2980 wrote to memory of 316	2980	be8784e7ac9c7165b014a0ba97a2c8b0N.exe	32

C:\Users\Admin\AppData\Local\Temp\be8784e7ac9c7165b014a0ba97a2c8b0N.exe
"C:\Users\Admin\AppData\Local\Temp\be8784e7ac9c7165b014a0ba97a2c8b0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\be8784e7ac9c7165b014a0ba97a2c8b0N.exe
  C:\Users\Admin\AppData\Local\Temp\be8784e7ac9c7165b014a0ba97a2c8b0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 144
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\be8784e7ac9c7165b014a0ba97a2c8b0N.exe

Filesize
3.0MB

MD5
4479ebaedb2c71110944f0195f28bb02

SHA1
b5e267a07a0debbc72cc3c238b87855aca98f703

SHA256
2beff28ca6984bd3ec3ca6a34e5b80bd933793b0046880a22d4bd0c64be77f74

SHA512
a4d342403291d927650b4d550480ac38c33ad71557c2049d8955a229537469ef8f4a62eb4a27126c8b273564fc4af9c6caf6190565d7ee880fa3484d49d0ea50

Download Submit
memory/2400-0-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2400-7-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2980-9-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2980-10-0x0000000002D80000-0x0000000002E6E000-memory.dmp

Filesize
952KB

Download