82ba03aebcf2eb0328d0bf093945f82e29f54ceadbd55d09a9f97c8d180953d7

Analysis

max time kernel
80s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9352fd9182b2afebca1b39f093f3dd0N.exe
Size

1.1MB
MD5

b9352fd9182b2afebca1b39f093f3dd0
SHA1

909877d9ba550f99f971bdf6922ec135e9a6c2ea
SHA256

82ba03aebcf2eb0328d0bf093945f82e29f54ceadbd55d09a9f97c8d180953d7
SHA512

49493f93f7913a5ec6914c429d17f1f3d8e1a6e50af22078778a19388ea91994dda1a35323aa38b0b07036b7c914103b5f4c0ecc2572df57d6bb6c59ceba2995
SSDEEP

6144:K5ISclkr4/xCN522wxIygC36+HGQsJNgPqwSqfkrEGGIAz2xwABrxxJa/YESjeB/:K0nx12we1j+ztdz2xjlDa/ZSEniF+G4V

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2060	b9352fd9182b2afebca1b39f093f3dd0N.exe

Executes dropped EXE 1 IoCs

pid	Process
2060	b9352fd9182b2afebca1b39f093f3dd0N.exe

Loads dropped DLL 4 IoCs

pid	Process
540	b9352fd9182b2afebca1b39f093f3dd0N.exe
1892	WerFault.exe
1892	WerFault.exe
1892	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1892	2060	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9352fd9182b2afebca1b39f093f3dd0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9352fd9182b2afebca1b39f093f3dd0N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
540	b9352fd9182b2afebca1b39f093f3dd0N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2060	b9352fd9182b2afebca1b39f093f3dd0N.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 2060	540	b9352fd9182b2afebca1b39f093f3dd0N.exe	32
PID 540 wrote to memory of 2060	540	b9352fd9182b2afebca1b39f093f3dd0N.exe	32
PID 540 wrote to memory of 2060	540	b9352fd9182b2afebca1b39f093f3dd0N.exe	32
PID 540 wrote to memory of 2060	540	b9352fd9182b2afebca1b39f093f3dd0N.exe	32
PID 2060 wrote to memory of 1892	2060	b9352fd9182b2afebca1b39f093f3dd0N.exe	33
PID 2060 wrote to memory of 1892	2060	b9352fd9182b2afebca1b39f093f3dd0N.exe	33
PID 2060 wrote to memory of 1892	2060	b9352fd9182b2afebca1b39f093f3dd0N.exe	33
PID 2060 wrote to memory of 1892	2060	b9352fd9182b2afebca1b39f093f3dd0N.exe	33

C:\Users\Admin\AppData\Local\Temp\b9352fd9182b2afebca1b39f093f3dd0N.exe
"C:\Users\Admin\AppData\Local\Temp\b9352fd9182b2afebca1b39f093f3dd0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:540
- C:\Users\Admin\AppData\Local\Temp\b9352fd9182b2afebca1b39f093f3dd0N.exe
  C:\Users\Admin\AppData\Local\Temp\b9352fd9182b2afebca1b39f093f3dd0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 144
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\b9352fd9182b2afebca1b39f093f3dd0N.exe

Filesize
1.1MB

MD5
0839bda8de2e969a490f2ff57713ff64

SHA1
697ee378c5989e9f5b44decf09ee91bd7c8083c1

SHA256
6c7de46a7b5ff790c6aeb942302e243b6bf98067dd77958cc963f3ca4101772a

SHA512
44d55e00738e71e8caf20e698a221a512e55c938714603fa30c9892a915b726323d75b39b8113223de7d34d341604518dc0856b752d0433810d9f1352ee50243

Download Submit
memory/540-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/540-7-0x0000000002F70000-0x0000000003058000-memory.dmp

Filesize
928KB

Download
memory/540-9-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2060-10-0x0000000002EB0000-0x0000000002F98000-memory.dmp

Filesize
928KB

Download
memory/2060-14-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download