Analysis
-
max time kernel
80s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 04:17
Static task
static1
Behavioral task
behavioral1
Sample
74a9b936f7301f31a8ef4d8606522360N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
74a9b936f7301f31a8ef4d8606522360N.exe
Resource
win10v2004-20240802-en
General
-
Target
74a9b936f7301f31a8ef4d8606522360N.exe
-
Size
2.0MB
-
MD5
74a9b936f7301f31a8ef4d8606522360
-
SHA1
1fb668736b91990ee24294460a3777b91321a9aa
-
SHA256
ad215e510368e0d6d05f4a5a96d3eb2be5f9474ed3bc0f68c4bace02a87f1c99
-
SHA512
3304324d07ffdee648dc871bf76e3d8207761bf7ca909e9ea5684e2ceaec3b6e9b4633e6ed70e7c1af49324ef46c5ab061cb78cdbca7335474ca5775bd852abf
-
SSDEEP
12288:WQGyXSq93U8UlJxwgs75FPjVDa/ZSBHnhvMCtjSE55GDjVDa/ZSrZjovBYz:8q93U675F9a/ZSFue+zxa/ZSrJovBYz
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1312 74a9b936f7301f31a8ef4d8606522360N.exe -
Executes dropped EXE 1 IoCs
pid Process 1312 74a9b936f7301f31a8ef4d8606522360N.exe -
Loads dropped DLL 4 IoCs
pid Process 3032 74a9b936f7301f31a8ef4d8606522360N.exe 2060 WerFault.exe 2060 WerFault.exe 2060 WerFault.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2060 1312 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 74a9b936f7301f31a8ef4d8606522360N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 74a9b936f7301f31a8ef4d8606522360N.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3032 74a9b936f7301f31a8ef4d8606522360N.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1312 74a9b936f7301f31a8ef4d8606522360N.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3032 wrote to memory of 1312 3032 74a9b936f7301f31a8ef4d8606522360N.exe 31 PID 3032 wrote to memory of 1312 3032 74a9b936f7301f31a8ef4d8606522360N.exe 31 PID 3032 wrote to memory of 1312 3032 74a9b936f7301f31a8ef4d8606522360N.exe 31 PID 3032 wrote to memory of 1312 3032 74a9b936f7301f31a8ef4d8606522360N.exe 31 PID 1312 wrote to memory of 2060 1312 74a9b936f7301f31a8ef4d8606522360N.exe 32 PID 1312 wrote to memory of 2060 1312 74a9b936f7301f31a8ef4d8606522360N.exe 32 PID 1312 wrote to memory of 2060 1312 74a9b936f7301f31a8ef4d8606522360N.exe 32 PID 1312 wrote to memory of 2060 1312 74a9b936f7301f31a8ef4d8606522360N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\74a9b936f7301f31a8ef4d8606522360N.exe"C:\Users\Admin\AppData\Local\Temp\74a9b936f7301f31a8ef4d8606522360N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\74a9b936f7301f31a8ef4d8606522360N.exeC:\Users\Admin\AppData\Local\Temp\74a9b936f7301f31a8ef4d8606522360N.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 1443⤵
- Loads dropped DLL
- Program crash
PID:2060
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD59eb7d310e9a805db112835d8467b5d7a
SHA1fb4903af1635b3e9a13e4572a42fac5e01fccc50
SHA256d8b5751ea771520a90992739af45077d6c326e7a8ccf9e099f04cb4f15071a28
SHA512bbb3e172276b8748adc30e8bd4495e967baefe42cdbcd5b9a28e67188cf70e3bcaa05177aa48b9fb9680306d6345b6d140fd154a53c63c759bed7bfa2d6f0d84