80f4ee6db5dcacfb44746e92828f0da9146905d3cf09bab7a4d601e9aac27a65

Analysis

max time kernel
104s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 04:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8f568d62b91609e52c424414f7f3d300N.exe
Size

350KB
MD5

8f568d62b91609e52c424414f7f3d300
SHA1

e698be566cd4e9a1915c3ceceb2695166a99f12e
SHA256

80f4ee6db5dcacfb44746e92828f0da9146905d3cf09bab7a4d601e9aac27a65
SHA512

52e55a007dbc86d5c0d81f0b5321275fa766db33eb5acb61d533f19d740a85de855eaafcc4bea90deee798d154bc02e95555734efb2bcce740914e35339de2f5
SSDEEP

6144:Ll44rrWHbRwcgPIQz43wEUk0s/7TA2dd+FhawLSkghfkgpHyhXW:L+ErsbROdMwEUk0s/fA22MvkEsW

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2764	8f568d62b91609e52c424414f7f3d300N.exe

Executes dropped EXE 1 IoCs

pid	Process
2764	8f568d62b91609e52c424414f7f3d300N.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2256	1912	WerFault.exe	83
1604	2764	WerFault.exe	90
3924	2764	WerFault.exe	90
1864	2764	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f568d62b91609e52c424414f7f3d300N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f568d62b91609e52c424414f7f3d300N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1912	8f568d62b91609e52c424414f7f3d300N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2764	8f568d62b91609e52c424414f7f3d300N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 2764	1912	8f568d62b91609e52c424414f7f3d300N.exe	90
PID 1912 wrote to memory of 2764	1912	8f568d62b91609e52c424414f7f3d300N.exe	90
PID 1912 wrote to memory of 2764	1912	8f568d62b91609e52c424414f7f3d300N.exe	90

C:\Users\Admin\AppData\Local\Temp\8f568d62b91609e52c424414f7f3d300N.exe
"C:\Users\Admin\AppData\Local\Temp\8f568d62b91609e52c424414f7f3d300N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 324
  2⤵
  - Program crash
  PID:2256
- C:\Users\Admin\AppData\Local\Temp\8f568d62b91609e52c424414f7f3d300N.exe
  C:\Users\Admin\AppData\Local\Temp\8f568d62b91609e52c424414f7f3d300N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  PID:2764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 360
    3⤵
    - Program crash
    PID:1604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 768
    3⤵
    - Program crash
    PID:3924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 788
    3⤵
    - Program crash
    PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1912 -ip 1912
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2764 -ip 2764
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2764 -ip 2764
1⤵
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2764 -ip 2764
1⤵
PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8f568d62b91609e52c424414f7f3d300N.exe

Filesize
350KB

MD5
260796659b0dc58e2ba88432f7550b1d

SHA1
600efc732113f6a323eec4563216941958de5943

SHA256
cacf193ed0cf51734ad1b76b8214147c4ae31c3406e0e03875f8eb0a5b92db38

SHA512
ce9ab3f8d9c79a7a2e4fc0691628a1055a30feb1b4077dc4af1fd3547c4e3121be648a37f40c990494f0530f5f6ae0c6515e8edb81e4dfa7d63bf3d2aa7550d9

Download Submit
memory/1912-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-9-0x00000000014A0000-0x00000000014D3000-memory.dmp

Filesize
204KB

Download
memory/2764-10-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download