Analysis
-
max time kernel
118s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-08-2024 23:06
Static task
static1
Behavioral task
behavioral1
Sample
fce74f91a0846a362dd1599f636afee0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
fce74f91a0846a362dd1599f636afee0N.exe
Resource
win10v2004-20240802-en
General
-
Target
fce74f91a0846a362dd1599f636afee0N.exe
-
Size
225KB
-
MD5
fce74f91a0846a362dd1599f636afee0
-
SHA1
8bd28c0e494247c72876873034fb149a12c5ff46
-
SHA256
d8bf2b7e73ffdf282b9cbcdcc762ff615945fa90818d7815c8b34d4b59756449
-
SHA512
7d7c5f34b52dcc1044e97dc5035d0bd83a93fe28b33d685c6eee58bb95bd4527265ec1761940e9cd5f09601cb32121c82a5d2702b71901dd040829a9af2b0337
-
SSDEEP
6144:5A2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:5ATuTAnKGwUAW3ycQqgf
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 112 2684 WerFault.exe winver.exe 2712 688 WerFault.exe fce74f91a0846a362dd1599f636afee0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
fce74f91a0846a362dd1599f636afee0N.exewinver.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fce74f91a0846a362dd1599f636afee0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winver.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
fce74f91a0846a362dd1599f636afee0N.exepid process 688 fce74f91a0846a362dd1599f636afee0N.exe 688 fce74f91a0846a362dd1599f636afee0N.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3380 Explorer.EXE Token: SeCreatePagefilePrivilege 3380 Explorer.EXE Token: SeShutdownPrivilege 3380 Explorer.EXE Token: SeCreatePagefilePrivilege 3380 Explorer.EXE Token: SeShutdownPrivilege 3380 Explorer.EXE Token: SeCreatePagefilePrivilege 3380 Explorer.EXE Token: SeShutdownPrivilege 3380 Explorer.EXE Token: SeCreatePagefilePrivilege 3380 Explorer.EXE Token: SeShutdownPrivilege 3380 Explorer.EXE Token: SeCreatePagefilePrivilege 3380 Explorer.EXE Token: SeShutdownPrivilege 3380 Explorer.EXE Token: SeCreatePagefilePrivilege 3380 Explorer.EXE Token: SeShutdownPrivilege 3380 Explorer.EXE Token: SeCreatePagefilePrivilege 3380 Explorer.EXE Token: SeShutdownPrivilege 3380 Explorer.EXE Token: SeCreatePagefilePrivilege 3380 Explorer.EXE Token: SeShutdownPrivilege 3380 Explorer.EXE Token: SeCreatePagefilePrivilege 3380 Explorer.EXE Token: SeShutdownPrivilege 3380 Explorer.EXE Token: SeCreatePagefilePrivilege 3380 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
winver.exefce74f91a0846a362dd1599f636afee0N.exepid process 2684 winver.exe 688 fce74f91a0846a362dd1599f636afee0N.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3380 Explorer.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
fce74f91a0846a362dd1599f636afee0N.exewinver.exedescription pid process target process PID 688 wrote to memory of 2684 688 fce74f91a0846a362dd1599f636afee0N.exe winver.exe PID 688 wrote to memory of 2684 688 fce74f91a0846a362dd1599f636afee0N.exe winver.exe PID 688 wrote to memory of 2684 688 fce74f91a0846a362dd1599f636afee0N.exe winver.exe PID 688 wrote to memory of 2684 688 fce74f91a0846a362dd1599f636afee0N.exe winver.exe PID 2684 wrote to memory of 3380 2684 winver.exe Explorer.EXE PID 688 wrote to memory of 3380 688 fce74f91a0846a362dd1599f636afee0N.exe Explorer.EXE PID 688 wrote to memory of 3024 688 fce74f91a0846a362dd1599f636afee0N.exe sihost.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3024
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3380 -
C:\Users\Admin\AppData\Local\Temp\fce74f91a0846a362dd1599f636afee0N.exe"C:\Users\Admin\AppData\Local\Temp\fce74f91a0846a362dd1599f636afee0N.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 3164⤵
- Program crash
PID:112 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 9843⤵
- Program crash
PID:2712
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
PID:2112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2684 -ip 26841⤵PID:5092
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 688 -ip 6881⤵PID:2716