fdbc0e391f0d629808b450ceef6abd97a0e573d74542b6c8b0dc43cd125fb44b

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34e0753e119558c8aad1449cd4926370N.exe
Size

202KB
MD5

34e0753e119558c8aad1449cd4926370
SHA1

bc090098e464a7d93b4da67570d4c06a36339541
SHA256

fdbc0e391f0d629808b450ceef6abd97a0e573d74542b6c8b0dc43cd125fb44b
SHA512

d17902a0d5228f8b708ede154eb3a701a0260f6cbb9c80b2924ccdcf98f75f8018f54bcb9a3ca4efc71cee65baf4e0d03c4a3e7ed2e3f5eb24497813e7274cf1
SSDEEP

6144:QrPVrrlUIHL6j+dAe6c52y16E1Pic7IL8eXrP:QLVrr16idoc5Tx9P728eXrP

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3528	34e0753e119558c8aad1449cd4926370N.exe

Executes dropped EXE 1 IoCs

pid	Process
3528	34e0753e119558c8aad1449cd4926370N.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3424	3656	WerFault.exe	80
3532	3528	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34e0753e119558c8aad1449cd4926370N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3656	34e0753e119558c8aad1449cd4926370N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3528	34e0753e119558c8aad1449cd4926370N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3656 wrote to memory of 3528	3656	34e0753e119558c8aad1449cd4926370N.exe	88
PID 3656 wrote to memory of 3528	3656	34e0753e119558c8aad1449cd4926370N.exe	88
PID 3656 wrote to memory of 3528	3656	34e0753e119558c8aad1449cd4926370N.exe	88

C:\Users\Admin\AppData\Local\Temp\34e0753e119558c8aad1449cd4926370N.exe
"C:\Users\Admin\AppData\Local\Temp\34e0753e119558c8aad1449cd4926370N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 396
  2⤵
  - Program crash
  PID:3424
- C:\Users\Admin\AppData\Local\Temp\34e0753e119558c8aad1449cd4926370N.exe
  C:\Users\Admin\AppData\Local\Temp\34e0753e119558c8aad1449cd4926370N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 364
    3⤵
    - Program crash
    PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3656 -ip 3656
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3528 -ip 3528
1⤵
PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\34e0753e119558c8aad1449cd4926370N.exe

Filesize
202KB

MD5
1e91cfd33a416f6c71773b3dee60c3f0

SHA1
2b4f003d39b7af071b54ce3c1ffa29bdeabbc8e8

SHA256
0bd775f476d2f5e80707b5d45d8af0861139a7b4a7293e334906d712c20fb09c

SHA512
9288608b23c0d8888b33438718c66bab79e9d5bec7ee7c176ffeadfa2d9515f8eaf82b02f8b93b219bd22068f6e57a320cd42c31e34d182d7633ca9d2a7eeedb

Download Submit
memory/3528-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3528-8-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3528-13-0x00000000015E0000-0x000000000161E000-memory.dmp

Filesize
248KB

Download
memory/3528-14-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3656-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3656-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download