7262a1cc0ab7a4d4b18133b20d091f574d102bdff4ab6e4cfd536fa6001c2c19

Resubmissions

12/08/2024, 08:47

240812-kpzhtstdkk 5

12/08/2024, 08:32

240812-kfqjkatamp 3

Analysis

max time kernel
139s
max time network
206s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/08/2024, 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

A_N-啟碁-TSNCNC17066-0721-LCL..scr
Size

1.1MB
MD5

27bff21251401bdc53507869909489ac
SHA1

9799ac564ccff08975c682be7f9f300bafb452c7
SHA256

6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c
SHA512

eb6269a0355fa5fef9f34cc13d81ad44c5a44b9a81dfdbe0f88ccc2474988239d1384adb6745abe8e572f1a9a5478dea99d220864e4182b906448dfe4086e5ba
SSDEEP

24576:w5drKL26BWweIJ37Lb2Sr7vTYEg2ELQtQJFBXhNw2aJm:wqS6BESySr/Yr2BQV

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2332	448	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A_N-啟碁-TSNCNC17066-0721-LCL..scr

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
448	A_N-啟碁-TSNCNC17066-0721-LCL..scr
448	A_N-啟碁-TSNCNC17066-0721-LCL..scr
448	A_N-啟碁-TSNCNC17066-0721-LCL..scr
448	A_N-啟碁-TSNCNC17066-0721-LCL..scr
448	A_N-啟碁-TSNCNC17066-0721-LCL..scr

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	448	A_N-啟碁-TSNCNC17066-0721-LCL..scr

C:\Users\Admin\AppData\Local\Temp\A_N-啟碁-TSNCNC17066-0721-LCL..scr
"C:\Users\Admin\AppData\Local\Temp\A_N-啟碁-TSNCNC17066-0721-LCL..scr" /S
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 1384
  2⤵
  - Program crash
  PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 448 -ip 448
1⤵
PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/448-0-0x000000007457E000-0x000000007457F000-memory.dmp

Filesize
4KB

Download
memory/448-1-0x00000000009B0000-0x0000000000AC4000-memory.dmp

Filesize
1.1MB

Download
memory/448-2-0x0000000007A20000-0x0000000007B06000-memory.dmp

Filesize
920KB

Download
memory/448-3-0x000000000B2C0000-0x000000000B864000-memory.dmp

Filesize
5.6MB

Download
memory/448-5-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/448-4-0x000000000AE10000-0x000000000AEA2000-memory.dmp

Filesize
584KB

Download
memory/448-6-0x00000000055F0000-0x00000000055FA000-memory.dmp

Filesize
40KB

Download
memory/448-7-0x0000000005850000-0x00000000058EC000-memory.dmp

Filesize
624KB

Download
memory/448-8-0x0000000006680000-0x000000000669A000-memory.dmp

Filesize
104KB

Download
memory/448-10-0x0000000006300000-0x0000000006316000-memory.dmp

Filesize
88KB

Download
memory/448-9-0x00000000062F0000-0x00000000062FE000-memory.dmp

Filesize
56KB

Download
memory/448-11-0x0000000006360000-0x0000000006420000-memory.dmp

Filesize
768KB

Download
memory/448-12-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download