85887b8ec6c6ddf12071a0ea14554ef924ac72f652eba2827443722df0b3f2ff

Analysis

max time kernel
79s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe
Size

1.1MB
MD5

8ab89c59c8fda81159ae27eaf35dd684
SHA1

aaadcdafc21a5f2a4a22e679ec87125928e299bd
SHA256

96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419
SHA512

9af7f0b9a3209f296bdec04ddbc41cc7ecd5ae4136e13e64ec1025d5acebbe04040f243cfd5098ce87acb58ac4e50d322d53a448a05fcfc3f293ae00967b2f41
SSDEEP

24576:hqDEvCTbMWu7rQYlBQcBiT6rprG8azSFN:hTvC/MTQYxsWR7azSF

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\incalculability.vbs	incalculability.exe

Executes dropped EXE 1 IoCs

pid	Process
4540	incalculability.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000c000000023372-14.dat	autoit_exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2424	4540	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	incalculability.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1580	96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe
1580	96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe
4540	incalculability.exe
4540	incalculability.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1580	96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe
1580	96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe
4540	incalculability.exe
4540	incalculability.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 4540	1580	96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe	89
PID 1580 wrote to memory of 4540	1580	96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe	89
PID 1580 wrote to memory of 4540	1580	96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe	89
PID 4540 wrote to memory of 3504	4540	incalculability.exe	91
PID 4540 wrote to memory of 3504	4540	incalculability.exe	91
PID 4540 wrote to memory of 3504	4540	incalculability.exe	91

C:\Users\Admin\AppData\Local\Temp\96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe
"C:\Users\Admin\AppData\Local\Temp\96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Users\Admin\AppData\Local\beeish\incalculability.exe
  "C:\Users\Admin\AppData\Local\Temp\96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe"
    3⤵
    PID:3504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 704
    3⤵
    - Program crash
    PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4540 -ip 4540
1⤵
PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Glagolitic

Filesize
203KB

MD5
d0185092d7de395664ca2daf138cf42b

SHA1
10a52920e88db5298b1bda7b29706c3412fb0b41

SHA256
3c07ac66cc2699711534a5e2acb7717f3c76d6824b6b2c45fe0ae88c7c4e94ac

SHA512
77a3d7ced06b129cfc622e1d5a3cab17012f90f21711e8f5a0933c751bacd70e5852f5f372d5fbbd9601cc42cfbe1fbfed4bb559eb4701a7822fd5aaee80ec7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cacostomia

Filesize
29KB

MD5
8620c48ba6cc6f917c1e936ad5aadd4e

SHA1
1a39b6df5478ad016a7c64e76ef0847a6f97fc75

SHA256
28b602e4ca07ca182e9a945542d48e4b5ed6fee09933fbd66180fb4aed439c73

SHA512
90f60bc95532c5837e67ae26bd2fbc6da6f670dc68e432e7c629bb9bfe5e8bb31d03482163902039194a596d3ffb74b474adae8e46a9fe4a9bfb847363bf07ce

Download Submit
C:\Users\Admin\AppData\Local\beeish\incalculability.exe

Filesize
1.1MB

MD5
8ab89c59c8fda81159ae27eaf35dd684

SHA1
aaadcdafc21a5f2a4a22e679ec87125928e299bd

SHA256
96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419

SHA512
9af7f0b9a3209f296bdec04ddbc41cc7ecd5ae4136e13e64ec1025d5acebbe04040f243cfd5098ce87acb58ac4e50d322d53a448a05fcfc3f293ae00967b2f41

Download Submit
memory/1580-11-0x0000000003360000-0x0000000003364000-memory.dmp

Filesize
16KB

Download