Analysis
-
max time kernel
14s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19-08-2024 01:57
Behavioral task
behavioral1
Sample
aafde0f0ae50c36ea2f7483570f17f20N.exe
Resource
win7-20240704-en
General
-
Target
aafde0f0ae50c36ea2f7483570f17f20N.exe
-
Size
316KB
-
MD5
aafde0f0ae50c36ea2f7483570f17f20
-
SHA1
38cb2ba8eea219f135c49d2a518f431bf34e0fa4
-
SHA256
13967b3c86e805128882a0421e9561cbcb000c4285996159ef1b17356777e922
-
SHA512
7350dd75ddb8448e846df11eb14c57d070ea5fe36b16aad46918336f38fded296ac00b4bca0426ec36ca9d3df1a28d8780f092a0d5cdc3f9c1b4fc11610f44aa
-
SSDEEP
1536:54d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZUnOHBRzU:5IdseIO+EZEyFjEOFqTiQmKnOHjzU
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2780-1-0x0000000000400000-0x000000000044F000-memory.dmp upx -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1948 2780 WerFault.exe aafde0f0ae50c36ea2f7483570f17f20N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
aafde0f0ae50c36ea2f7483570f17f20N.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aafde0f0ae50c36ea2f7483570f17f20N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
aafde0f0ae50c36ea2f7483570f17f20N.exedescription pid process target process PID 2780 wrote to memory of 1948 2780 aafde0f0ae50c36ea2f7483570f17f20N.exe WerFault.exe PID 2780 wrote to memory of 1948 2780 aafde0f0ae50c36ea2f7483570f17f20N.exe WerFault.exe PID 2780 wrote to memory of 1948 2780 aafde0f0ae50c36ea2f7483570f17f20N.exe WerFault.exe PID 2780 wrote to memory of 1948 2780 aafde0f0ae50c36ea2f7483570f17f20N.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aafde0f0ae50c36ea2f7483570f17f20N.exe"C:\Users\Admin\AppData\Local\Temp\aafde0f0ae50c36ea2f7483570f17f20N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 362⤵
- Program crash
PID:1948
-