b50bbb4b93fd8ef7a2876b3743dfda6945e9011f406e71b41897244b0b836467

Analysis

max time kernel
117s
max time network
137s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
10-08-2024 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bb032333f6f2199f35a512aa920a651975ea1b4c3aa7fac0ad69efa2539f42c.exe
Size

1.2MB
MD5

6bf88fc25bf35ecfa3f0bc1564e3e24d
SHA1

bca6855c8e3842b0cfb94318cc0244dbc2a08e44
SHA256

2bb032333f6f2199f35a512aa920a651975ea1b4c3aa7fac0ad69efa2539f42c
SHA512

c8ce4d6e000199ed1940d12ca349de028305b4b516e485ddec24a062d1c6e34202853fff37acdc34d94705a5b5556fb4f084e54fafe0ee91bc96aa3ee40233a7
SSDEEP

24576:SqDEvCTbMWu7rQYlBQcBiT6rprG8aHrDWs2iF3tyipz:STvC/MTQYxsWR7aHMinyA

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4700	2092	WerFault.exe	71

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bb032333f6f2199f35a512aa920a651975ea1b4c3aa7fac0ad69efa2539f42c.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2092	2bb032333f6f2199f35a512aa920a651975ea1b4c3aa7fac0ad69efa2539f42c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 4568	2092	2bb032333f6f2199f35a512aa920a651975ea1b4c3aa7fac0ad69efa2539f42c.exe	72
PID 2092 wrote to memory of 4568	2092	2bb032333f6f2199f35a512aa920a651975ea1b4c3aa7fac0ad69efa2539f42c.exe	72
PID 2092 wrote to memory of 4568	2092	2bb032333f6f2199f35a512aa920a651975ea1b4c3aa7fac0ad69efa2539f42c.exe	72

C:\Users\Admin\AppData\Local\Temp\2bb032333f6f2199f35a512aa920a651975ea1b4c3aa7fac0ad69efa2539f42c.exe
"C:\Users\Admin\AppData\Local\Temp\2bb032333f6f2199f35a512aa920a651975ea1b4c3aa7fac0ad69efa2539f42c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\2bb032333f6f2199f35a512aa920a651975ea1b4c3aa7fac0ad69efa2539f42c.exe"
  2⤵
  PID:4568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 700
  2⤵
  - Program crash
  PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut6DD3.tmp

Filesize
280KB

MD5
a82ce025fcf8e2592730b4b71c9562e1

SHA1
d4c3feb9dab11daa364c3d517796c6da6eecad03

SHA256
ef1fd17fde2cb743100d45f8c4808508fa9955e191a2f9f0505624043f2f1507

SHA512
489b0ab9e7ecccd4577574bb9e971bb58ca36eba5667ca3e9d644deb3c05f0d04ea05cef3f0f281040bbf11aa9cf528d2ddd997547bac455681fb7e5be582291

Download Submit
memory/2092-13-0x00000000014D0000-0x00000000014D4000-memory.dmp

Filesize
16KB

Download