7a845fa8c9f5f96431b7446edaef1ece39235e2ec7e0b9f405223abb7b447ed8

Analysis

max time kernel
94s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca5d3c28acc99391742f7b61f8fe03a0N.exe
Size

8.9MB
MD5

ca5d3c28acc99391742f7b61f8fe03a0
SHA1

8e9b7cc2bc21b1eacd787fed759efc97ea0b6e29
SHA256

7a845fa8c9f5f96431b7446edaef1ece39235e2ec7e0b9f405223abb7b447ed8
SHA512

48a2d42fada7ff56a04d019ad8bd612dcfdae3c549d7b84899bc77a1d55e21cd97af73c812529131846c7698b05faa12f6482c1f21295a034dd3ba045b6d8d96
SSDEEP

98304:2229XtWHdC/yvl5YBLjU8/cOT0MMHMMM6MMZMMMqo30MMHMMM6MMZMMMqaYMMHMF:2fvuCQl5CXfQ1/ta5

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2208	ca5d3c28acc99391742f7b61f8fe03a0N.exe

Executes dropped EXE 1 IoCs

pid	Process
2208	ca5d3c28acc99391742f7b61f8fe03a0N.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2028	3932	WerFault.exe	80
828	2208	WerFault.exe	88
224	2208	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca5d3c28acc99391742f7b61f8fe03a0N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3932	ca5d3c28acc99391742f7b61f8fe03a0N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2208	ca5d3c28acc99391742f7b61f8fe03a0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 2208	3932	ca5d3c28acc99391742f7b61f8fe03a0N.exe	88
PID 3932 wrote to memory of 2208	3932	ca5d3c28acc99391742f7b61f8fe03a0N.exe	88
PID 3932 wrote to memory of 2208	3932	ca5d3c28acc99391742f7b61f8fe03a0N.exe	88

C:\Users\Admin\AppData\Local\Temp\ca5d3c28acc99391742f7b61f8fe03a0N.exe
"C:\Users\Admin\AppData\Local\Temp\ca5d3c28acc99391742f7b61f8fe03a0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 352
  2⤵
  - Program crash
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\ca5d3c28acc99391742f7b61f8fe03a0N.exe
  C:\Users\Admin\AppData\Local\Temp\ca5d3c28acc99391742f7b61f8fe03a0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 352
    3⤵
    - Program crash
    PID:828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 392
    3⤵
    - Program crash
    PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3932 -ip 3932
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2208 -ip 2208
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2208 -ip 2208
1⤵
PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ca5d3c28acc99391742f7b61f8fe03a0N.exe

Filesize
8.9MB

MD5
f2a91b663bee1423fca5dc1bdd535af9

SHA1
9067abe8c0d4804a67e20d414734cecf154dfbc8

SHA256
edeaaeee6715bd8b6522b23543a279c9ff049a0e3bffad49d98ea4bae0faa75e

SHA512
5bda52aa434c6f23a468047ac342531c3147cf0f947969878df3f047b052447a0bd4830799c971307840284b8c5e5e6e9db9ebf264b61b7b52f167b945d34fd0

Download Submit
memory/2208-7-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2208-8-0x00000000050F0000-0x00000000051D5000-memory.dmp

Filesize
916KB

Download
memory/2208-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3932-0-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3932-6-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download