6c7b96184ff5a873f55ba71e9bf801521c52ec1fbb8babb1c155d160d3b2bbef

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 22:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6c7b96184ff5a873f55ba71e9bf801521c52ec1fbb8babb1c155d160d3b2bbef.exe
Size

453KB
MD5

d47642c9c2e31a1d4676c1c57411bf52
SHA1

adc40b25227252bc727183b5c63de739c44930ac
SHA256

6c7b96184ff5a873f55ba71e9bf801521c52ec1fbb8babb1c155d160d3b2bbef
SHA512

65feb1fa447e9d64c7b8f25020ea0c6f9449f02850cc7cee0a41d4f34414a3a09ab1f7ec6fa46e17df94d091db31cb25debb8c99d2e57b5618f9848b19a80932
SSDEEP

12288:Pq+g9yxom4UW2gk0npM4dl0v5JHpS0wULW:C+g9RvUTgkEM4dmv5XfW

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4476	6c7b96184ff5a873f55ba71e9bf801521c52ec1fbb8babb1c155d160d3b2bbef.exe

Executes dropped EXE 1 IoCs

pid	Process
4476	6c7b96184ff5a873f55ba71e9bf801521c52ec1fbb8babb1c155d160d3b2bbef.exe

Program crash 5 IoCs

pid	pid_target	Process	procid_target
3316	5116	WerFault.exe	82
216	4476	WerFault.exe	89
3116	4476	WerFault.exe	89
2800	4476	WerFault.exe	89
4644	4476	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c7b96184ff5a873f55ba71e9bf801521c52ec1fbb8babb1c155d160d3b2bbef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c7b96184ff5a873f55ba71e9bf801521c52ec1fbb8babb1c155d160d3b2bbef.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5116	6c7b96184ff5a873f55ba71e9bf801521c52ec1fbb8babb1c155d160d3b2bbef.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4476	6c7b96184ff5a873f55ba71e9bf801521c52ec1fbb8babb1c155d160d3b2bbef.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 4476	5116	6c7b96184ff5a873f55ba71e9bf801521c52ec1fbb8babb1c155d160d3b2bbef.exe	89
PID 5116 wrote to memory of 4476	5116	6c7b96184ff5a873f55ba71e9bf801521c52ec1fbb8babb1c155d160d3b2bbef.exe	89
PID 5116 wrote to memory of 4476	5116	6c7b96184ff5a873f55ba71e9bf801521c52ec1fbb8babb1c155d160d3b2bbef.exe	89

C:\Users\Admin\AppData\Local\Temp\6c7b96184ff5a873f55ba71e9bf801521c52ec1fbb8babb1c155d160d3b2bbef.exe
"C:\Users\Admin\AppData\Local\Temp\6c7b96184ff5a873f55ba71e9bf801521c52ec1fbb8babb1c155d160d3b2bbef.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 384
  2⤵
  - Program crash
  PID:3316
- C:\Users\Admin\AppData\Local\Temp\6c7b96184ff5a873f55ba71e9bf801521c52ec1fbb8babb1c155d160d3b2bbef.exe
  C:\Users\Admin\AppData\Local\Temp\6c7b96184ff5a873f55ba71e9bf801521c52ec1fbb8babb1c155d160d3b2bbef.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  PID:4476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 352
    3⤵
    - Program crash
    PID:216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 768
    3⤵
    - Program crash
    PID:3116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 788
    3⤵
    - Program crash
    PID:2800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 784
    3⤵
    - Program crash
    PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5116 -ip 5116
1⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4476 -ip 4476
1⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4476 -ip 4476
1⤵
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4476 -ip 4476
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4476 -ip 4476
1⤵
PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6c7b96184ff5a873f55ba71e9bf801521c52ec1fbb8babb1c155d160d3b2bbef.exe

Filesize
453KB

MD5
b6f5f3233e37cf9d76a41670270ef6cb

SHA1
417c29594efe7c919a5a75cffc4684b850a494e7

SHA256
6176623b2a86014fb3af4a821b9fe4e2c54aec89bdd0263c303381ded86d7298

SHA512
0c9831b495a2e18e92b105086cc48826c3b70df70da9a3f1ed782af7a95478c74582856df1ba523db40c99b50594660520c8d772ed9a695835147712bfa53a56

Download Submit
memory/4476-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4476-8-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4476-13-0x0000000001500000-0x000000000153E000-memory.dmp

Filesize
248KB

Download
memory/5116-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5116-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download