ad215e510368e0d6d05f4a5a96d3eb2be5f9474ed3bc0f68c4bace02a87f1c99

Analysis

max time kernel
80s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74a9b936f7301f31a8ef4d8606522360N.exe
Size

2.0MB
MD5

74a9b936f7301f31a8ef4d8606522360
SHA1

1fb668736b91990ee24294460a3777b91321a9aa
SHA256

ad215e510368e0d6d05f4a5a96d3eb2be5f9474ed3bc0f68c4bace02a87f1c99
SHA512

3304324d07ffdee648dc871bf76e3d8207761bf7ca909e9ea5684e2ceaec3b6e9b4633e6ed70e7c1af49324ef46c5ab061cb78cdbca7335474ca5775bd852abf
SSDEEP

12288:WQGyXSq93U8UlJxwgs75FPjVDa/ZSBHnhvMCtjSE55GDjVDa/ZSrZjovBYz:8q93U675F9a/ZSFue+zxa/ZSrJovBYz

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1312	74a9b936f7301f31a8ef4d8606522360N.exe

Executes dropped EXE 1 IoCs

pid	Process
1312	74a9b936f7301f31a8ef4d8606522360N.exe

Loads dropped DLL 4 IoCs

pid	Process
3032	74a9b936f7301f31a8ef4d8606522360N.exe
2060	WerFault.exe
2060	WerFault.exe
2060	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2060	1312	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74a9b936f7301f31a8ef4d8606522360N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74a9b936f7301f31a8ef4d8606522360N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3032	74a9b936f7301f31a8ef4d8606522360N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1312	74a9b936f7301f31a8ef4d8606522360N.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 1312	3032	74a9b936f7301f31a8ef4d8606522360N.exe	31
PID 3032 wrote to memory of 1312	3032	74a9b936f7301f31a8ef4d8606522360N.exe	31
PID 3032 wrote to memory of 1312	3032	74a9b936f7301f31a8ef4d8606522360N.exe	31
PID 3032 wrote to memory of 1312	3032	74a9b936f7301f31a8ef4d8606522360N.exe	31
PID 1312 wrote to memory of 2060	1312	74a9b936f7301f31a8ef4d8606522360N.exe	32
PID 1312 wrote to memory of 2060	1312	74a9b936f7301f31a8ef4d8606522360N.exe	32
PID 1312 wrote to memory of 2060	1312	74a9b936f7301f31a8ef4d8606522360N.exe	32
PID 1312 wrote to memory of 2060	1312	74a9b936f7301f31a8ef4d8606522360N.exe	32

C:\Users\Admin\AppData\Local\Temp\74a9b936f7301f31a8ef4d8606522360N.exe
"C:\Users\Admin\AppData\Local\Temp\74a9b936f7301f31a8ef4d8606522360N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\74a9b936f7301f31a8ef4d8606522360N.exe
  C:\Users\Admin\AppData\Local\Temp\74a9b936f7301f31a8ef4d8606522360N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 144
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\74a9b936f7301f31a8ef4d8606522360N.exe

Filesize
2.0MB

MD5
9eb7d310e9a805db112835d8467b5d7a

SHA1
fb4903af1635b3e9a13e4572a42fac5e01fccc50

SHA256
d8b5751ea771520a90992739af45077d6c326e7a8ccf9e099f04cb4f15071a28

SHA512
bbb3e172276b8748adc30e8bd4495e967baefe42cdbcd5b9a28e67188cf70e3bcaa05177aa48b9fb9680306d6345b6d140fd154a53c63c759bed7bfa2d6f0d84

Download Submit
memory/1312-10-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/1312-11-0x0000000002E60000-0x0000000002F4D000-memory.dmp

Filesize
948KB

Download
memory/1312-15-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/3032-0-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/3032-9-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/3032-6-0x0000000002D60000-0x0000000002E4D000-memory.dmp

Filesize
948KB

Download