Analysis
-
max time kernel
16s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19-08-2024 08:34
Behavioral task
behavioral1
Sample
5ccdd452b15d8d13d4a14ba31f8f1240N.exe
Resource
win7-20240704-en
General
-
Target
5ccdd452b15d8d13d4a14ba31f8f1240N.exe
-
Size
316KB
-
MD5
5ccdd452b15d8d13d4a14ba31f8f1240
-
SHA1
6d1e6cd740c3485d7515fc7ee2f8f3dcf6167c99
-
SHA256
660a7afce6338968a621b18576514376c78c9c973c27b6369bb52faab6c4c494
-
SHA512
f491ac97ee78ec21517ad11e70863e283bd58845b01c2016b4f1fbdcdea41e6b693f39c9cf714461735f2dae57f5f228fcfaedaec98deace4f7005b3002ebe76
-
SSDEEP
1536:Z4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZUnOHBRzU:ZIdseIO+EZEyFjEOFqTiQmKnOHjzU
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2240-1-0x0000000000400000-0x000000000044F000-memory.dmp upx -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2244 2240 WerFault.exe 5ccdd452b15d8d13d4a14ba31f8f1240N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
5ccdd452b15d8d13d4a14ba31f8f1240N.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ccdd452b15d8d13d4a14ba31f8f1240N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
5ccdd452b15d8d13d4a14ba31f8f1240N.exedescription pid process target process PID 2240 wrote to memory of 2244 2240 5ccdd452b15d8d13d4a14ba31f8f1240N.exe WerFault.exe PID 2240 wrote to memory of 2244 2240 5ccdd452b15d8d13d4a14ba31f8f1240N.exe WerFault.exe PID 2240 wrote to memory of 2244 2240 5ccdd452b15d8d13d4a14ba31f8f1240N.exe WerFault.exe PID 2240 wrote to memory of 2244 2240 5ccdd452b15d8d13d4a14ba31f8f1240N.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ccdd452b15d8d13d4a14ba31f8f1240N.exe"C:\Users\Admin\AppData\Local\Temp\5ccdd452b15d8d13d4a14ba31f8f1240N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 362⤵
- Program crash
PID:2244
-