Analysis
-
max time kernel
119s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-08-2024 10:06
Static task
static1
Behavioral task
behavioral1
Sample
d5a18378b163bafb3b75f166cefe93c0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
d5a18378b163bafb3b75f166cefe93c0N.exe
Resource
win10v2004-20240802-en
General
-
Target
d5a18378b163bafb3b75f166cefe93c0N.exe
-
Size
237KB
-
MD5
d5a18378b163bafb3b75f166cefe93c0
-
SHA1
0585ecccf12239bcd4c5da540d3de7b31013cff7
-
SHA256
4479b4bf55669694f5dc5b16749758a3a360aca3071c60d4f0331010c9123747
-
SHA512
0feda768a4194762fc8c01f69d63b824824fa60bb56561f4769272fd88ee7eb8a83e75ca78e2121f13e82426cb38ebd1c4b3851f3409615466179009d83e5878
-
SSDEEP
6144:lA2P27yTAnKGw0hjFhSR/W1nyAJ9v0pMtRCpYQ:lATuTAnKGwUAWVycQqgj
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4296 868 WerFault.exe winver.exe 5092 4600 WerFault.exe d5a18378b163bafb3b75f166cefe93c0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d5a18378b163bafb3b75f166cefe93c0N.exewinver.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d5a18378b163bafb3b75f166cefe93c0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winver.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3380 Explorer.EXE Token: SeCreatePagefilePrivilege 3380 Explorer.EXE Token: SeShutdownPrivilege 3380 Explorer.EXE Token: SeCreatePagefilePrivilege 3380 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
winver.exed5a18378b163bafb3b75f166cefe93c0N.exepid process 868 winver.exe 4600 d5a18378b163bafb3b75f166cefe93c0N.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3380 Explorer.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d5a18378b163bafb3b75f166cefe93c0N.exewinver.exedescription pid process target process PID 4600 wrote to memory of 868 4600 d5a18378b163bafb3b75f166cefe93c0N.exe winver.exe PID 4600 wrote to memory of 868 4600 d5a18378b163bafb3b75f166cefe93c0N.exe winver.exe PID 4600 wrote to memory of 868 4600 d5a18378b163bafb3b75f166cefe93c0N.exe winver.exe PID 4600 wrote to memory of 868 4600 d5a18378b163bafb3b75f166cefe93c0N.exe winver.exe PID 868 wrote to memory of 3380 868 winver.exe Explorer.EXE PID 4600 wrote to memory of 3380 4600 d5a18378b163bafb3b75f166cefe93c0N.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3380 -
C:\Users\Admin\AppData\Local\Temp\d5a18378b163bafb3b75f166cefe93c0N.exe"C:\Users\Admin\AppData\Local\Temp\d5a18378b163bafb3b75f166cefe93c0N.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 3004⤵
- Program crash
PID:4296 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 9003⤵
- Program crash
PID:5092
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
PID:4908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 868 -ip 8681⤵PID:4520
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4600 -ip 46001⤵PID:4812