Analysis
-
max time kernel
103s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/08/2024, 01:19
Behavioral task
behavioral1
Sample
1c39392a58481100d12051fdddea9a60N.exe
Resource
win7-20240708-en
General
-
Target
1c39392a58481100d12051fdddea9a60N.exe
-
Size
1.5MB
-
MD5
1c39392a58481100d12051fdddea9a60
-
SHA1
347eb2869db08ee40aa7e5eacf87da849bca1900
-
SHA256
c413ab5eeeeba7514c998bd8a07b24c3ad8dbf1c4ec3119ea9d4f17c5c7b9aff
-
SHA512
d40b75638f19df2e63be6184e5acf1e168aeeaa00dd3c45fd80d8742c28d4fbdb9b0919dd2dbe785619ae81455eb9f7217ee4d1ac5d7b6e61c17eadd334aa3fb
-
SSDEEP
24576:ceWroXdm0DSBoN1cjukL24eXyK1okOXdRu8N5nEcjukL2Y:ceIoXdRaoN1cakLfeXyKLOXdRu8N5nEy
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3200 1c39392a58481100d12051fdddea9a60N.exe -
Executes dropped EXE 1 IoCs
pid Process 3200 1c39392a58481100d12051fdddea9a60N.exe -
resource yara_rule behavioral2/memory/2552-0-0x0000000000400000-0x000000000065C000-memory.dmp upx behavioral2/files/0x00080000000234dc-12.dat upx behavioral2/memory/3200-14-0x0000000000400000-0x000000000065C000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 21 pastebin.com -
Program crash 19 IoCs
pid pid_target Process procid_target 4128 3200 WerFault.exe 85 516 3200 WerFault.exe 85 2532 3200 WerFault.exe 85 2540 3200 WerFault.exe 85 1560 3200 WerFault.exe 85 3088 3200 WerFault.exe 85 3292 3200 WerFault.exe 85 1928 3200 WerFault.exe 85 1828 3200 WerFault.exe 85 3040 3200 WerFault.exe 85 4208 3200 WerFault.exe 85 1052 3200 WerFault.exe 85 5024 3200 WerFault.exe 85 4360 3200 WerFault.exe 85 4172 3200 WerFault.exe 85 1164 3200 WerFault.exe 85 3644 3200 WerFault.exe 85 1864 3200 WerFault.exe 85 1412 3200 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1c39392a58481100d12051fdddea9a60N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1c39392a58481100d12051fdddea9a60N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1228 schtasks.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2552 1c39392a58481100d12051fdddea9a60N.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2552 1c39392a58481100d12051fdddea9a60N.exe 3200 1c39392a58481100d12051fdddea9a60N.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2552 wrote to memory of 3200 2552 1c39392a58481100d12051fdddea9a60N.exe 85 PID 2552 wrote to memory of 3200 2552 1c39392a58481100d12051fdddea9a60N.exe 85 PID 2552 wrote to memory of 3200 2552 1c39392a58481100d12051fdddea9a60N.exe 85 PID 3200 wrote to memory of 1228 3200 1c39392a58481100d12051fdddea9a60N.exe 86 PID 3200 wrote to memory of 1228 3200 1c39392a58481100d12051fdddea9a60N.exe 86 PID 3200 wrote to memory of 1228 3200 1c39392a58481100d12051fdddea9a60N.exe 86 PID 3200 wrote to memory of 1060 3200 1c39392a58481100d12051fdddea9a60N.exe 88 PID 3200 wrote to memory of 1060 3200 1c39392a58481100d12051fdddea9a60N.exe 88 PID 3200 wrote to memory of 1060 3200 1c39392a58481100d12051fdddea9a60N.exe 88 PID 1060 wrote to memory of 8 1060 cmd.exe 90 PID 1060 wrote to memory of 8 1060 cmd.exe 90 PID 1060 wrote to memory of 8 1060 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c39392a58481100d12051fdddea9a60N.exe"C:\Users\Admin\AppData\Local\Temp\1c39392a58481100d12051fdddea9a60N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\1c39392a58481100d12051fdddea9a60N.exeC:\Users\Admin\AppData\Local\Temp\1c39392a58481100d12051fdddea9a60N.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\1c39392a58481100d12051fdddea9a60N.exe" /TN I8mYOnEac625 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1228
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c schtasks.exe /Query /XML /TN I8mYOnEac625 > C:\Users\Admin\AppData\Local\Temp\B4cf9.xml3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Query /XML /TN I8mYOnEac6254⤵
- System Location Discovery: System Language Discovery
PID:8
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 6123⤵
- Program crash
PID:4128
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 6363⤵
- Program crash
PID:516
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 6123⤵
- Program crash
PID:2532
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 7403⤵
- Program crash
PID:2540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 7283⤵
- Program crash
PID:1560
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 7883⤵
- Program crash
PID:3088
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 13683⤵
- Program crash
PID:3292
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 15483⤵
- Program crash
PID:1928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 17443⤵
- Program crash
PID:1828
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 15163⤵
- Program crash
PID:3040
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 15203⤵
- Program crash
PID:4208
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 17563⤵
- Program crash
PID:1052
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 15563⤵
- Program crash
PID:5024
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 17163⤵
- Program crash
PID:4360
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 15483⤵
- Program crash
PID:4172
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 17963⤵
- Program crash
PID:1164
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 18283⤵
- Program crash
PID:3644
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 18003⤵
- Program crash
PID:1864
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 17203⤵
- Program crash
PID:1412
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3200 -ip 32001⤵PID:4832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3200 -ip 32001⤵PID:1588
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3200 -ip 32001⤵PID:1932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3200 -ip 32001⤵PID:4040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3200 -ip 32001⤵PID:1952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3200 -ip 32001⤵PID:4860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3200 -ip 32001⤵PID:3792
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3200 -ip 32001⤵PID:408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3200 -ip 32001⤵PID:3472
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3200 -ip 32001⤵PID:1904
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3200 -ip 32001⤵PID:3724
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3200 -ip 32001⤵PID:1196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3200 -ip 32001⤵PID:1556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3200 -ip 32001⤵PID:3308
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3200 -ip 32001⤵PID:4372
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3200 -ip 32001⤵PID:2292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3200 -ip 32001⤵PID:1348
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3200 -ip 32001⤵PID:540
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3200 -ip 32001⤵PID:2596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD553d420d8cb135206f939fcf02226d708
SHA1918e67d31a78362a21eb6c8a6dc2985cab312198
SHA2564491acba60dc09d50f36cbf44826a66b8ce749ac1ff126aae04ac1be9e326f27
SHA512918bcbabae906ef96a2764aaeca1c5d31fcbef3534a0fdee8765472922b5e0298353cd5542c408f5141ca48393dcf2f70db973f4a747a59e0707abea645765cf
-
Filesize
1KB
MD5aeb95dfc147299c60112cf4c98bf64a7
SHA1b1e01babb76bbc8b59d1b0c95e77ee7af5405daf
SHA256ebe8a8102d1cc0d4706af54f0b0dc8645933864f5e829ff96607a9a85df2b1e7
SHA5128043180cf010506e848d130dee0d8fc3040395739e965d052f9a852ffdd24243f825dd45a8252819f6d48c6f5f30900a041734b69cc4e13d35319826c17159e9