Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
16-08-2024 15:12
Static task
static1
Behavioral task
behavioral1
Sample
1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe
Resource
win11-20240802-en
General
-
Target
1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe
-
Size
278KB
-
MD5
92ae7a1286d992e104c0072f639941f7
-
SHA1
d2c0fe4e7e9df1b4a9a4cd69e3167003e51c73b2
-
SHA256
1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3
-
SHA512
bed93d1e09f576c52b231046cbf9a4ef81ebb2f68eaa6fc7b0eea889418e5f3af440fef5da55882b5535f26d994fdd34c288ba62e7fb033f5bd372cf752bb62b
-
SSDEEP
6144:S7iHIcfYlXolTFsr91vzWmUuNTuBjEKz7nwWYcEZoSNDyaN9b/7:FPYJolZsr9kjuNTuVFfnwHYSNGOb/7
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3244 1736 WerFault.exe 1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exePING.EXE1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEcmd.exepid process 3228 PING.EXE 4284 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.execmd.exedescription pid process target process PID 1736 wrote to memory of 4284 1736 1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe cmd.exe PID 1736 wrote to memory of 4284 1736 1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe cmd.exe PID 1736 wrote to memory of 4284 1736 1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe cmd.exe PID 4284 wrote to memory of 3228 4284 cmd.exe PING.EXE PID 4284 wrote to memory of 3228 4284 cmd.exe PING.EXE PID 4284 wrote to memory of 3228 4284 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe"C:\Users\Admin\AppData\Local\Temp\1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping google.com && erase C:\Users\Admin\AppData\Local\Temp\1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\PING.EXEping google.com3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3228 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 14082⤵
- Program crash
PID:3244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1736 -ip 17361⤵PID:4492
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1