21b32a1e3ba18f9c1600a5f093a528668a93dacbe09526f4cb2fdae76b1eea13

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d89d473d7d5197aa0c44c01eb69d620N.exe
Size

384KB
MD5

7d89d473d7d5197aa0c44c01eb69d620
SHA1

d2df580e34d72d8829e0d00f29586a1026c10416
SHA256

21b32a1e3ba18f9c1600a5f093a528668a93dacbe09526f4cb2fdae76b1eea13
SHA512

f11221e952eef6b1ed43d02e95695485adea987ecbae4d503cdd6e56757cb10acde9efeec1d57266224e5acf61036a339f6093b4585619f2e46ed654dca57ae3
SSDEEP

6144:bfb4EjyM6ro0dk46MKq8l/UdpWdDJboY4sJ9pALL7j11:bfsEO9o0e46MKq8l/Udp6D9d9pAX

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3928	7d89d473d7d5197aa0c44c01eb69d620N.exe

Executes dropped EXE 1 IoCs

pid	Process
3928	7d89d473d7d5197aa0c44c01eb69d620N.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2084	3436	WerFault.exe	82
2200	3928	WerFault.exe	89
712	3928	WerFault.exe	89
2268	3928	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d89d473d7d5197aa0c44c01eb69d620N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d89d473d7d5197aa0c44c01eb69d620N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3436	7d89d473d7d5197aa0c44c01eb69d620N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3928	7d89d473d7d5197aa0c44c01eb69d620N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 3928	3436	7d89d473d7d5197aa0c44c01eb69d620N.exe	89
PID 3436 wrote to memory of 3928	3436	7d89d473d7d5197aa0c44c01eb69d620N.exe	89
PID 3436 wrote to memory of 3928	3436	7d89d473d7d5197aa0c44c01eb69d620N.exe	89

C:\Users\Admin\AppData\Local\Temp\7d89d473d7d5197aa0c44c01eb69d620N.exe
"C:\Users\Admin\AppData\Local\Temp\7d89d473d7d5197aa0c44c01eb69d620N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 384
  2⤵
  - Program crash
  PID:2084
- C:\Users\Admin\AppData\Local\Temp\7d89d473d7d5197aa0c44c01eb69d620N.exe
  C:\Users\Admin\AppData\Local\Temp\7d89d473d7d5197aa0c44c01eb69d620N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  PID:3928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 352
    3⤵
    - Program crash
    PID:2200
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 768
    3⤵
    - Program crash
    PID:712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 788
    3⤵
    - Program crash
    PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3436 -ip 3436
1⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3928 -ip 3928
1⤵
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3928 -ip 3928
1⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3928 -ip 3928
1⤵
PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7d89d473d7d5197aa0c44c01eb69d620N.exe

Filesize
384KB

MD5
a56541ea1836dc38b9beb9ad40a0fcf7

SHA1
e188595dfc70fda2e092f066d11ae638acfcd5ed

SHA256
c9fcf1eb3d72a40986a805f2fc40e80e0193b7fc767d022b5bb52dccbf618318

SHA512
79f5f4b87d7d36325ad1b7e0e721139c60ac24f84013e11980558e5e9e7f48ff70c3dde4ca6c9bb4b3bf3ee6e59f1b7669e4b1817c8ec7b3f8c8555a4a73f7b4

Download Submit
memory/3436-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3436-6-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3928-7-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3928-8-0x0000000001510000-0x0000000001546000-memory.dmp

Filesize
216KB

Download
memory/3928-9-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download