cb3a32a911c52be406641ce25575f13c33d341ae5f26d4c85392f0f29da16a59

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 04:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Crack Mergftre_protected..exe
Size

1.8MB
MD5

a8ecb42e3700b7d424db743c7b152c1c
SHA1

fe719cb5509fa3167135f179bc6ded6ec4307e34
SHA256

cb3a32a911c52be406641ce25575f13c33d341ae5f26d4c85392f0f29da16a59
SHA512

e835429c8412feec5903ebbb1ccc8e07972e3ee077e0a3cce7ca302bcc962e01649d7655dbedc4dd98deb2d8770541f3749a270c45106c1471b25eb40ded5677
SSDEEP

24576:6rcdPWfwRKzgxvoulsNuj79cEwkiF9XImWf:HdBKzgxvouWNujvwR94Z

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4532	5032	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crack Mergftre_protected..exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5032	Crack Mergftre_protected..exe

C:\Users\Admin\AppData\Local\Temp\Crack Mergftre_protected..exe
"C:\Users\Admin\AppData\Local\Temp\Crack Mergftre_protected..exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1884
  2⤵
  - Program crash
  PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5032 -ip 5032
1⤵
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5032-0-0x000000007539E000-0x000000007539F000-memory.dmp

Filesize
4KB

Download
memory/5032-1-0x0000000000380000-0x000000000055C000-memory.dmp

Filesize
1.9MB

Download
memory/5032-2-0x0000000004FF0000-0x0000000005002000-memory.dmp

Filesize
72KB

Download
memory/5032-3-0x000000007539E000-0x000000007539F000-memory.dmp

Filesize
4KB

Download
memory/5032-4-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/5032-5-0x0000000005370000-0x00000000053AC000-memory.dmp

Filesize
240KB

Download
memory/5032-6-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/5032-7-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download