84e1d7ef0ab4497dcebb07087479a40b523745523a292cb2da040b686b537a3d

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07/08/2024, 06:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

849c7ae770318ac09e0fde466e1becfe.exe
Size

952KB
MD5

849c7ae770318ac09e0fde466e1becfe
SHA1

964328dce9404626ed5aaf9657b5a3aee93e4b86
SHA256

84e1d7ef0ab4497dcebb07087479a40b523745523a292cb2da040b686b537a3d
SHA512

0f702ddab102f1e358ce80e80ac7c6f8c034a0e90b279330e2af4b448752dd897bdd037a081d940244fbc35ddefe99b95b15e05e6fade8374788d5b4098933f8
SSDEEP

24576:i1c1teTixkINNYmCifNi/WNRplOzBrBgSnGrR:7rC8kIMmh4qpsz9BgSER

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1596 set thread context of 2992	1596	849c7ae770318ac09e0fde466e1becfe.exe	31

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2664	2992	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	849c7ae770318ac09e0fde466e1becfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	849c7ae770318ac09e0fde466e1becfe.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 2992	1596	849c7ae770318ac09e0fde466e1becfe.exe	31
PID 1596 wrote to memory of 2992	1596	849c7ae770318ac09e0fde466e1becfe.exe	31
PID 1596 wrote to memory of 2992	1596	849c7ae770318ac09e0fde466e1becfe.exe	31
PID 1596 wrote to memory of 2992	1596	849c7ae770318ac09e0fde466e1becfe.exe	31
PID 1596 wrote to memory of 2992	1596	849c7ae770318ac09e0fde466e1becfe.exe	31
PID 1596 wrote to memory of 2992	1596	849c7ae770318ac09e0fde466e1becfe.exe	31
PID 1596 wrote to memory of 2992	1596	849c7ae770318ac09e0fde466e1becfe.exe	31
PID 2992 wrote to memory of 2664	2992	849c7ae770318ac09e0fde466e1becfe.exe	32
PID 2992 wrote to memory of 2664	2992	849c7ae770318ac09e0fde466e1becfe.exe	32
PID 2992 wrote to memory of 2664	2992	849c7ae770318ac09e0fde466e1becfe.exe	32
PID 2992 wrote to memory of 2664	2992	849c7ae770318ac09e0fde466e1becfe.exe	32

C:\Users\Admin\AppData\Local\Temp\849c7ae770318ac09e0fde466e1becfe.exe
"C:\Users\Admin\AppData\Local\Temp\849c7ae770318ac09e0fde466e1becfe.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Users\Admin\AppData\Local\Temp\849c7ae770318ac09e0fde466e1becfe.exe
  "C:\Users\Admin\AppData\Local\Temp\849c7ae770318ac09e0fde466e1becfe.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 36
    3⤵
    - Program crash
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1596-0-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

Filesize
4KB

Download
memory/1596-1-0x00000000011F0000-0x00000000012E4000-memory.dmp

Filesize
976KB

Download
memory/1596-2-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/1596-3-0x0000000001050000-0x0000000001068000-memory.dmp

Filesize
96KB

Download
memory/1596-4-0x0000000000B20000-0x0000000000B2E000-memory.dmp

Filesize
56KB

Download
memory/1596-5-0x0000000000C70000-0x0000000000C86000-memory.dmp

Filesize
88KB

Download
memory/1596-6-0x0000000005B40000-0x0000000005BCE000-memory.dmp

Filesize
568KB

Download
memory/1596-13-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/2992-8-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2992-12-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2992-9-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2992-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download