69cfdd7648e85a9976063c76e042b07decb727b3b3744820584aa88c32b3b479

Analysis

max time kernel
106s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c0086f5428034dbd15db205b7416660N.exe
Size

2.8MB
MD5

4c0086f5428034dbd15db205b7416660
SHA1

cf1ba15313c06d0e15a8038dbd54072fdabc5109
SHA256

69cfdd7648e85a9976063c76e042b07decb727b3b3744820584aa88c32b3b479
SHA512

ae90b31aa2ccd3c2e6a99dbe4788b05ded980845c6abe0cfde9cf2ccc84a3616e1c48957a251068206cb430fe27cbba5dd238793b2012b4c38f129d16ba2b1fe
SSDEEP

24576:090ddKpX/wn1ta/ZSsniF+ujZXIMfX2av5SAODFDDaPZS6XSl+t:+sdAvwTgxniXtXIMfX2wGBDDQ/XSe

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3404	4c0086f5428034dbd15db205b7416660N.exe

Executes dropped EXE 1 IoCs

pid	Process
3404	4c0086f5428034dbd15db205b7416660N.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3336	4688	WerFault.exe	83
2504	3404	WerFault.exe	91
4520	3404	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c0086f5428034dbd15db205b7416660N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4688	4c0086f5428034dbd15db205b7416660N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3404	4c0086f5428034dbd15db205b7416660N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 3404	4688	4c0086f5428034dbd15db205b7416660N.exe	91
PID 4688 wrote to memory of 3404	4688	4c0086f5428034dbd15db205b7416660N.exe	91
PID 4688 wrote to memory of 3404	4688	4c0086f5428034dbd15db205b7416660N.exe	91

C:\Users\Admin\AppData\Local\Temp\4c0086f5428034dbd15db205b7416660N.exe
"C:\Users\Admin\AppData\Local\Temp\4c0086f5428034dbd15db205b7416660N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 344
  2⤵
  - Program crash
  PID:3336
- C:\Users\Admin\AppData\Local\Temp\4c0086f5428034dbd15db205b7416660N.exe
  C:\Users\Admin\AppData\Local\Temp\4c0086f5428034dbd15db205b7416660N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 344
    3⤵
    - Program crash
    PID:2504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 384
    3⤵
    - Program crash
    PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4688 -ip 4688
1⤵
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3404 -ip 3404
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3404 -ip 3404
1⤵
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4c0086f5428034dbd15db205b7416660N.exe

Filesize
2.8MB

MD5
066063ca29bfebe202f68e4ed8b12431

SHA1
b2ab362245265b4d1483c63e33686b598a94455b

SHA256
02d98e87741a413bfb54717f5822f2557ea085508c575dac8c454120e8e3de49

SHA512
8726c32d89dc8a70aeca18cfa91f883589aa4dc5db8cad99173b2d404d44fa943fdb58d763597ba20e91df9a35774f4ea802d30c9a5b1512d1e0908a43f43865

Download Submit
memory/3404-7-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3404-8-0x00000000050E0000-0x00000000051C8000-memory.dmp

Filesize
928KB

Download
memory/3404-10-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4688-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4688-6-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download