Analysis
-
max time kernel
118s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/08/2024, 20:49
Static task
static1
Behavioral task
behavioral1
Sample
1edfcd0d4fc5c270ea507d2d28913ad0N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
1edfcd0d4fc5c270ea507d2d28913ad0N.exe
Resource
win10v2004-20240802-en
General
-
Target
1edfcd0d4fc5c270ea507d2d28913ad0N.exe
-
Size
225KB
-
MD5
1edfcd0d4fc5c270ea507d2d28913ad0
-
SHA1
d42fb7913e8aa52488fa1887f6695fe09b7a97eb
-
SHA256
0cbd571f2cbb15bcc922a2fef69b5de0fcce818df2835deeebffcd0481ce4832
-
SHA512
ca04804f6b908507490dbfad137b10b406da6ebb72b8b9f2b1cb02fe7b1565056db6e937735962877a24e98b715d98a8f81095713e14e1bfbd4c7bed19a21145
-
SSDEEP
6144:KA2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:KATuTAnKGwUAW3ycQqgf
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1220 4056 WerFault.exe 100 1788 3172 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1edfcd0d4fc5c270ea507d2d28913ad0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winver.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4056 winver.exe 3172 1edfcd0d4fc5c270ea507d2d28913ad0N.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3436 Explorer.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3172 wrote to memory of 4056 3172 1edfcd0d4fc5c270ea507d2d28913ad0N.exe 100 PID 3172 wrote to memory of 4056 3172 1edfcd0d4fc5c270ea507d2d28913ad0N.exe 100 PID 3172 wrote to memory of 4056 3172 1edfcd0d4fc5c270ea507d2d28913ad0N.exe 100 PID 3172 wrote to memory of 4056 3172 1edfcd0d4fc5c270ea507d2d28913ad0N.exe 100 PID 4056 wrote to memory of 3436 4056 winver.exe 56 PID 3172 wrote to memory of 3436 3172 1edfcd0d4fc5c270ea507d2d28913ad0N.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3436 -
C:\Users\Admin\AppData\Local\Temp\1edfcd0d4fc5c270ea507d2d28913ad0N.exe"C:\Users\Admin\AppData\Local\Temp\1edfcd0d4fc5c270ea507d2d28913ad0N.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 3004⤵
- Program crash
PID:1220
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 8723⤵
- Program crash
PID:1788
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
PID:3460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4056 -ip 40561⤵PID:1160
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3172 -ip 31721⤵PID:2312