e7ed3ba895db825e9f8f8440a31107ee109ea23881f11382a5bf48e714740b0a

Analysis

max time kernel
110s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 00:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2a081d05e6d9b12c7ef5e539be6aad90N.exe
Size

3.7MB
MD5

2a081d05e6d9b12c7ef5e539be6aad90
SHA1

8db1391c5aaab78b4306433374ca8f713db7a4d8
SHA256

e7ed3ba895db825e9f8f8440a31107ee109ea23881f11382a5bf48e714740b0a
SHA512

2f343db7c08a15cb06cafa4b77c42536bd38db4006af8fa1d451d29807c3953740edb707fd4a9c9b050175175e318c54299c87cc804a6176e3ebc07953de243d
SSDEEP

98304:O54u6+r5EzRBJ8GE9VDbpi/0vASrX6RXsZODa5:ON6+r5ETOGoRbpQX+i+

Score

3^/10

discovery

Malware Config

Signatures

Program crash 11 IoCs

pid	pid_target	Process	procid_target
4980	3540	WerFault.exe	83
4480	3540	WerFault.exe	83
3828	3540	WerFault.exe	83
404	3540	WerFault.exe	83
4524	3540	WerFault.exe	83
4568	3540	WerFault.exe	83
2904	3540	WerFault.exe	83
3780	3540	WerFault.exe	83
5080	3540	WerFault.exe	83
2604	3540	WerFault.exe	83
1796	3540	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a081d05e6d9b12c7ef5e539be6aad90N.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3540	2a081d05e6d9b12c7ef5e539be6aad90N.exe
3540	2a081d05e6d9b12c7ef5e539be6aad90N.exe

C:\Users\Admin\AppData\Local\Temp\2a081d05e6d9b12c7ef5e539be6aad90N.exe
"C:\Users\Admin\AppData\Local\Temp\2a081d05e6d9b12c7ef5e539be6aad90N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 852
  2⤵
  - Program crash
  PID:4980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 860
  2⤵
  - Program crash
  PID:4480
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 936
  2⤵
  - Program crash
  PID:3828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1052
  2⤵
  - Program crash
  PID:404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1092
  2⤵
  - Program crash
  PID:4524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1092
  2⤵
  - Program crash
  PID:4568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1112
  2⤵
  - Program crash
  PID:2904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1140
  2⤵
  - Program crash
  PID:3780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1120
  2⤵
  - Program crash
  PID:5080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 968
  2⤵
  - Program crash
  PID:2604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1260
  2⤵
  - Program crash
  PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3540 -ip 3540
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3540 -ip 3540
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3540 -ip 3540
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3540 -ip 3540
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3540 -ip 3540
1⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3540 -ip 3540
1⤵
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3540 -ip 3540
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3540 -ip 3540
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3540 -ip 3540
1⤵
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3540 -ip 3540
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3540 -ip 3540
1⤵
PID:732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3540-0-0x0000000000400000-0x0000000000BBD000-memory.dmp

Filesize
7.7MB

Download
memory/3540-1-0x0000000000400000-0x0000000000BBD000-memory.dmp

Filesize
7.7MB

Download
memory/3540-2-0x0000000000400000-0x000000000090A000-memory.dmp

Filesize
5.0MB

Download
memory/3540-3-0x0000000000400000-0x0000000000BBD000-memory.dmp

Filesize
7.7MB

Download
memory/3540-4-0x0000000000400000-0x0000000000BBD000-memory.dmp

Filesize
7.7MB

Download
memory/3540-6-0x0000000000400000-0x000000000090A000-memory.dmp

Filesize
5.0MB

Download