Analysis
-
max time kernel
114s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-08-2024 10:42
Static task
static1
Behavioral task
behavioral1
Sample
40a8278ddc516f38960e65e87c5d58f0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
40a8278ddc516f38960e65e87c5d58f0N.exe
Resource
win10v2004-20240802-en
General
-
Target
40a8278ddc516f38960e65e87c5d58f0N.exe
-
Size
237KB
-
MD5
40a8278ddc516f38960e65e87c5d58f0
-
SHA1
4590ef33d7c8ada7b6d0680c825c9cf61a203f22
-
SHA256
1186b5b49e01796f359fc0f584aeef545083cb6bc6d3ebb1a158e1b67fdfa5b8
-
SHA512
8d6641611bab5439dc409ba2a8d91fe20ad296298f32cebee29db1bef864a42e33afaa083e08a4b0b4a613f3ebd0bc439e3e0fe138edb1452161fc232097f7d0
-
SSDEEP
6144:0A2P27yTAnKGw0hjFhSR/W1nyAJ9v0pMtRCpYQ:0ATuTAnKGwUAWVycQqgj
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2216 1180 WerFault.exe winver.exe 4304 1724 WerFault.exe 40a8278ddc516f38960e65e87c5d58f0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
40a8278ddc516f38960e65e87c5d58f0N.exewinver.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40a8278ddc516f38960e65e87c5d58f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winver.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
40a8278ddc516f38960e65e87c5d58f0N.exepid process 1724 40a8278ddc516f38960e65e87c5d58f0N.exe 1724 40a8278ddc516f38960e65e87c5d58f0N.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3460 Explorer.EXE Token: SeCreatePagefilePrivilege 3460 Explorer.EXE Token: SeShutdownPrivilege 3460 Explorer.EXE Token: SeCreatePagefilePrivilege 3460 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
winver.exe40a8278ddc516f38960e65e87c5d58f0N.exepid process 1180 winver.exe 1724 40a8278ddc516f38960e65e87c5d58f0N.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3460 Explorer.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
40a8278ddc516f38960e65e87c5d58f0N.exewinver.exedescription pid process target process PID 1724 wrote to memory of 1180 1724 40a8278ddc516f38960e65e87c5d58f0N.exe winver.exe PID 1724 wrote to memory of 1180 1724 40a8278ddc516f38960e65e87c5d58f0N.exe winver.exe PID 1724 wrote to memory of 1180 1724 40a8278ddc516f38960e65e87c5d58f0N.exe winver.exe PID 1724 wrote to memory of 1180 1724 40a8278ddc516f38960e65e87c5d58f0N.exe winver.exe PID 1180 wrote to memory of 3460 1180 winver.exe Explorer.EXE PID 1724 wrote to memory of 3460 1724 40a8278ddc516f38960e65e87c5d58f0N.exe Explorer.EXE PID 1724 wrote to memory of 2676 1724 40a8278ddc516f38960e65e87c5d58f0N.exe sihost.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2676
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3460 -
C:\Users\Admin\AppData\Local\Temp\40a8278ddc516f38960e65e87c5d58f0N.exe"C:\Users\Admin\AppData\Local\Temp\40a8278ddc516f38960e65e87c5d58f0N.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 3004⤵
- Program crash
PID:2216 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 8723⤵
- Program crash
PID:4304
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3364,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:81⤵PID:5012
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
PID:844
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1180 -ip 11801⤵PID:532
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1724 -ip 17241⤵PID:4208