1d063e084df2d2719ae2576a938bba2f66cdbbb1570cf10e9f251fa2fb6f9819

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93f302a61a72b084bc9f179bc7e83560N.exe
Size

768KB
MD5

93f302a61a72b084bc9f179bc7e83560
SHA1

87c9723bf1755b302b389679efd0c4f5e9f88985
SHA256

1d063e084df2d2719ae2576a938bba2f66cdbbb1570cf10e9f251fa2fb6f9819
SHA512

49787da3f6b71ba71a9887e4ed235bcd46881b39b268e3777a5f3a15c11cb9d03dc25bf4c83be0b56d3f1ad9bf9a1af53c3d000af19dd4c9ee4f19b882909904
SSDEEP

12288:5tF8rVehLRrMfbCAf9CAfK4AXygqfwWCAfK4AXygqfYCAfRCAT:5tGxqGfb9f99foigY79foigYY9fR9

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1964	93f302a61a72b084bc9f179bc7e83560N.exe

Executes dropped EXE 1 IoCs

pid	Process
1964	93f302a61a72b084bc9f179bc7e83560N.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3468	2396	WerFault.exe	81
4552	1964	WerFault.exe	89
1384	1964	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93f302a61a72b084bc9f179bc7e83560N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2396	93f302a61a72b084bc9f179bc7e83560N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 1964	2396	93f302a61a72b084bc9f179bc7e83560N.exe	89
PID 2396 wrote to memory of 1964	2396	93f302a61a72b084bc9f179bc7e83560N.exe	89
PID 2396 wrote to memory of 1964	2396	93f302a61a72b084bc9f179bc7e83560N.exe	89

C:\Users\Admin\AppData\Local\Temp\93f302a61a72b084bc9f179bc7e83560N.exe
"C:\Users\Admin\AppData\Local\Temp\93f302a61a72b084bc9f179bc7e83560N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 396
  2⤵
  - Program crash
  PID:3468
- C:\Users\Admin\AppData\Local\Temp\93f302a61a72b084bc9f179bc7e83560N.exe
  C:\Users\Admin\AppData\Local\Temp\93f302a61a72b084bc9f179bc7e83560N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 372
    3⤵
    - Program crash
    PID:4552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 408
    3⤵
    - Program crash
    PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2396 -ip 2396
1⤵
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1964 -ip 1964
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1964 -ip 1964
1⤵
PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\93f302a61a72b084bc9f179bc7e83560N.exe

Filesize
768KB

MD5
c9f7f941d52f974a1c0b1ad6b418674f

SHA1
a62f929eec1132669fb87235bd9a48100496eea5

SHA256
247a3501318aff6545bf71f1c4a1ede0cd3aecdc5ad23943c70c8afa4d22a16a

SHA512
313e7c849970ce6315c8b017fb5ce06fc88269c4451543f9f000cf8976473115975a306b0c0889b582df2c55efff309e2536448ffcf7c7016fa30cc6cc1cc6ff

Download Submit
memory/1964-8-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1964-10-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2396-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2396-7-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download