87180287c9eaf65a1365f9eb1c637f4959a010b2f234155744de74068f8e54bc

General

Target

d29e2523e21d22745f1e68cacb12a930N.exe
Size

237KB
MD5

d29e2523e21d22745f1e68cacb12a930
SHA1

c81595f65d4e7e8ff87a188fe2552d6a30b75c47
SHA256

87180287c9eaf65a1365f9eb1c637f4959a010b2f234155744de74068f8e54bc
SHA512

4ad103d03387e00e23b29f0870432813a6d9ddba0cca29e2822bb18e7e1d0c07e5808c5149b9cbd56d14b7b449a07c0a27551d35c1e25b8d4170b5bb0009a549
SSDEEP

6144:ZA2P27yTAnKGw0hjFhSR/W1nyAJ9v0pMtRCpYQ:ZATuTAnKGwUAWVycQqgj

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4212	4204	WerFault.exe	99
3060	1004	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d29e2523e21d22745f1e68cacb12a930N.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1004	d29e2523e21d22745f1e68cacb12a930N.exe
1004	d29e2523e21d22745f1e68cacb12a930N.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4204	winver.exe
1004	d29e2523e21d22745f1e68cacb12a930N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3500	Explorer.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 4204	1004	d29e2523e21d22745f1e68cacb12a930N.exe	99
PID 1004 wrote to memory of 4204	1004	d29e2523e21d22745f1e68cacb12a930N.exe	99
PID 1004 wrote to memory of 4204	1004	d29e2523e21d22745f1e68cacb12a930N.exe	99
PID 1004 wrote to memory of 4204	1004	d29e2523e21d22745f1e68cacb12a930N.exe	99
PID 4204 wrote to memory of 3500	4204	winver.exe	56
PID 1004 wrote to memory of 3500	1004	d29e2523e21d22745f1e68cacb12a930N.exe	56
PID 1004 wrote to memory of 2796	1004	d29e2523e21d22745f1e68cacb12a930N.exe	49

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2796

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3500
- C:\Users\Admin\AppData\Local\Temp\d29e2523e21d22745f1e68cacb12a930N.exe
  "C:\Users\Admin\AppData\Local\Temp\d29e2523e21d22745f1e68cacb12a930N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\SysWOW64\winver.exe
    winver
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 300
      4⤵
      Program crash
      PID:4212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 884
    3⤵
    - Program crash
    PID:3060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Modifies data under HKEY_USERS
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4204 -ip 4204
1⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1004 -ip 1004
1⤵
PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1004-16-0x0000000005750000-0x0000000006150000-memory.dmp

Filesize
10.0MB

Download
memory/1004-1-0x0000000004340000-0x0000000004998000-memory.dmp

Filesize
6.3MB

Download
memory/1004-3-0x0000000004340000-0x0000000004998000-memory.dmp

Filesize
6.3MB

Download
memory/1004-4-0x0000000004160000-0x0000000004161000-memory.dmp

Filesize
4KB

Download
memory/1004-5-0x0000000004160000-0x0000000004161000-memory.dmp

Filesize
4KB

Download
memory/1004-6-0x0000000004160000-0x0000000004161000-memory.dmp

Filesize
4KB

Download
memory/1004-7-0x0000000004160000-0x0000000004161000-memory.dmp

Filesize
4KB

Download
memory/1004-8-0x0000000004160000-0x0000000004161000-memory.dmp

Filesize
4KB

Download
memory/1004-2-0x0000000004160000-0x0000000004161000-memory.dmp

Filesize
4KB

Download
memory/1004-24-0x0000000004340000-0x0000000004998000-memory.dmp

Filesize
6.3MB

Download
memory/1004-20-0x0000000005750000-0x0000000006150000-memory.dmp

Filesize
10.0MB

Download
memory/1004-12-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2796-19-0x0000000000B60000-0x0000000000B66000-memory.dmp

Filesize
24KB

Download
memory/2796-25-0x0000000000B60000-0x0000000000B66000-memory.dmp

Filesize
24KB

Download
memory/3500-17-0x0000000000900000-0x0000000000906000-memory.dmp

Filesize
24KB

Download
memory/3500-10-0x00000000008F0000-0x00000000008F6000-memory.dmp

Filesize
24KB

Download
memory/3500-11-0x00000000008F0000-0x00000000008F6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing