Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19-08-2024 10:41
Behavioral task
behavioral1
Sample
e0b477fbbeea981612c175f4e7b97e70N.exe
Resource
win7-20240708-en
General
-
Target
e0b477fbbeea981612c175f4e7b97e70N.exe
-
Size
316KB
-
MD5
e0b477fbbeea981612c175f4e7b97e70
-
SHA1
db3c026be6be36c9af176dd059ad90ed35554f5a
-
SHA256
720bae68bb732551d9afc1c9a18e40d23ea7fa0b8cf59f5e819a86a7e7ee8dc4
-
SHA512
db4e6e0f651f666c85bdc082dd3232dbd94f88e14b76e1547cd54e61f68ff51de5b74f562b292e983cc10433dd51a5e589b465e76c282ed817032e1740419148
-
SSDEEP
1536:k4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZUnOHBRzU:kIdseIO+EZEyFjEOFqTiQmKnOHjzU
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1596-1-0x0000000000400000-0x000000000044F000-memory.dmp upx -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2364 1596 WerFault.exe e0b477fbbeea981612c175f4e7b97e70N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
e0b477fbbeea981612c175f4e7b97e70N.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e0b477fbbeea981612c175f4e7b97e70N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
e0b477fbbeea981612c175f4e7b97e70N.exedescription pid process target process PID 1596 wrote to memory of 2364 1596 e0b477fbbeea981612c175f4e7b97e70N.exe WerFault.exe PID 1596 wrote to memory of 2364 1596 e0b477fbbeea981612c175f4e7b97e70N.exe WerFault.exe PID 1596 wrote to memory of 2364 1596 e0b477fbbeea981612c175f4e7b97e70N.exe WerFault.exe PID 1596 wrote to memory of 2364 1596 e0b477fbbeea981612c175f4e7b97e70N.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0b477fbbeea981612c175f4e7b97e70N.exe"C:\Users\Admin\AppData\Local\Temp\e0b477fbbeea981612c175f4e7b97e70N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 362⤵
- Program crash
PID:2364
-