Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 21:36
Static task
static1
Behavioral task
behavioral1
Sample
0a672ee4cfe227f1fd98a232b89c2c10N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
0a672ee4cfe227f1fd98a232b89c2c10N.exe
Resource
win10v2004-20240802-en
General
-
Target
0a672ee4cfe227f1fd98a232b89c2c10N.exe
-
Size
237KB
-
MD5
0a672ee4cfe227f1fd98a232b89c2c10
-
SHA1
5b4bc96dc9820f92b96cbe644ab804cc8bfc9ac2
-
SHA256
43ce1cb391cc7ab81e08985b05bf8a1f79262e6dc3f8176676c663da0c171907
-
SHA512
8f25c1813af51b953cc047d5b572625a330c683faff602eb4f632787a7770f29fe5ee4b82a4bd8df570f6619795b526c1cf797f51d7b685aa9c36d92d8bc7954
-
SSDEEP
6144:HA2P27yTAnKGw0hjFhSR/W1nyAJ9v0pMtRCpYQ:HATuTAnKGwUAWVycQqgj
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3564 2832 WerFault.exe winver.exe 4336 920 WerFault.exe 0a672ee4cfe227f1fd98a232b89c2c10N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
0a672ee4cfe227f1fd98a232b89c2c10N.exewinver.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0a672ee4cfe227f1fd98a232b89c2c10N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winver.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3588 Explorer.EXE Token: SeCreatePagefilePrivilege 3588 Explorer.EXE Token: SeShutdownPrivilege 3588 Explorer.EXE Token: SeCreatePagefilePrivilege 3588 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
winver.exeExplorer.EXE0a672ee4cfe227f1fd98a232b89c2c10N.exepid process 2832 winver.exe 3588 Explorer.EXE 3588 Explorer.EXE 920 0a672ee4cfe227f1fd98a232b89c2c10N.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3588 Explorer.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0a672ee4cfe227f1fd98a232b89c2c10N.exewinver.exedescription pid process target process PID 920 wrote to memory of 2832 920 0a672ee4cfe227f1fd98a232b89c2c10N.exe winver.exe PID 920 wrote to memory of 2832 920 0a672ee4cfe227f1fd98a232b89c2c10N.exe winver.exe PID 920 wrote to memory of 2832 920 0a672ee4cfe227f1fd98a232b89c2c10N.exe winver.exe PID 920 wrote to memory of 2832 920 0a672ee4cfe227f1fd98a232b89c2c10N.exe winver.exe PID 2832 wrote to memory of 3588 2832 winver.exe Explorer.EXE PID 920 wrote to memory of 3588 920 0a672ee4cfe227f1fd98a232b89c2c10N.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3588 -
C:\Users\Admin\AppData\Local\Temp\0a672ee4cfe227f1fd98a232b89c2c10N.exe"C:\Users\Admin\AppData\Local\Temp\0a672ee4cfe227f1fd98a232b89c2c10N.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 3004⤵
- Program crash
PID:3564 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 8083⤵
- Program crash
PID:4336
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
PID:668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2832 -ip 28321⤵PID:4932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 920 -ip 9201⤵PID:4352