b5c65c86e20ef4e75b6eb76aa91afbe4d3c61270d3b476be228cf08373dd5032

Analysis

max time kernel
101s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e20bf8bd266e584717ea6e2de4a6b030N.exe
Size

216KB
MD5

e20bf8bd266e584717ea6e2de4a6b030
SHA1

8cd54868c5dccbdd1f266de055e69a208def4b67
SHA256

b5c65c86e20ef4e75b6eb76aa91afbe4d3c61270d3b476be228cf08373dd5032
SHA512

b2bc096728e27cec5eaf508c4281bc069e8aeabd4607cb7321733484fe6281b084946e9aa429a7ce21fa56a7a42850ed3709889370c7fb42edca86331175dbca
SSDEEP

6144:6EL/A9Lr2xvgXaShU3xkAvKY+hToWxP3G6WB3:66A9L6xvQOkK+hJi3

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3996	e20bf8bd266e584717ea6e2de4a6b030N.exe

Executes dropped EXE 1 IoCs

pid	Process
3996	e20bf8bd266e584717ea6e2de4a6b030N.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
224	4900	WerFault.exe	83
2328	3996	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e20bf8bd266e584717ea6e2de4a6b030N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4900	e20bf8bd266e584717ea6e2de4a6b030N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3996	e20bf8bd266e584717ea6e2de4a6b030N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 3996	4900	e20bf8bd266e584717ea6e2de4a6b030N.exe	91
PID 4900 wrote to memory of 3996	4900	e20bf8bd266e584717ea6e2de4a6b030N.exe	91
PID 4900 wrote to memory of 3996	4900	e20bf8bd266e584717ea6e2de4a6b030N.exe	91

C:\Users\Admin\AppData\Local\Temp\e20bf8bd266e584717ea6e2de4a6b030N.exe
"C:\Users\Admin\AppData\Local\Temp\e20bf8bd266e584717ea6e2de4a6b030N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 396
  2⤵
  - Program crash
  PID:224
- C:\Users\Admin\AppData\Local\Temp\e20bf8bd266e584717ea6e2de4a6b030N.exe
  C:\Users\Admin\AppData\Local\Temp\e20bf8bd266e584717ea6e2de4a6b030N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 364
    3⤵
    - Program crash
    PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4900 -ip 4900
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3996 -ip 3996
1⤵
PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e20bf8bd266e584717ea6e2de4a6b030N.exe

Filesize
216KB

MD5
5831591df06cc3844fe6a6d483b3572a

SHA1
ab00094179448c8d4ab3284fa0b7cbad663d32f4

SHA256
c5405fdf1dd9a43d80f3f6ecfb4f63a78b6dcdb54e58ddd5ca2e20528774c5e1

SHA512
b4421685f3c79ca70d789510d711504e460da1929d0fcb419c022c469954a7316f8ade8b28095413363428889a5f5e82eae64a94ea7143830df3ae74660bc4c4

Download Submit
memory/3996-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3996-13-0x0000000001460000-0x000000000149F000-memory.dmp

Filesize
252KB

Download
memory/3996-8-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3996-14-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4900-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4900-6-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download