384b556c45172874234777b28fa8f97d6cde2163af54fbd1f2ddf6a995c27e12

Analysis

max time kernel
120s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae4680653e941cc1c9b90fb1976235e0N.exe
Size

540KB
MD5

ae4680653e941cc1c9b90fb1976235e0
SHA1

6d35f2a8e07437c907fdc325fd9a56527859aa1d
SHA256

384b556c45172874234777b28fa8f97d6cde2163af54fbd1f2ddf6a995c27e12
SHA512

df31f8a84e567d6939f64276b95cb82bae60479b07ad56997ad80d0c70e7d881f5905ac54e909d0a784e5c582d79d2a8695f2fd5ad284ea42896967878169a58
SSDEEP

12288:mQylkm4afINt+zth1Mgz/7dOSrl1bMQ1fRpg9CWzvHcV6tVlF:NbaMYhhKazESrl5MIfw9v746t3F

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
428	explorrer32.exe
3908	explorrer32.exe
3164	explorrer32.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4784 set thread context of 2764	4784	ae4680653e941cc1c9b90fb1976235e0N.exe	95
PID 428 set thread context of 3908	428	explorrer32.exe	100
PID 428 set thread context of 3164	428	explorrer32.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4492	2120	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae4680653e941cc1c9b90fb1976235e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorrer32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorrer32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae4680653e941cc1c9b90fb1976235e0N.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2120	ipconfig.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4784	ae4680653e941cc1c9b90fb1976235e0N.exe
2764	ae4680653e941cc1c9b90fb1976235e0N.exe
428	explorrer32.exe
3908	explorrer32.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 2764	4784	ae4680653e941cc1c9b90fb1976235e0N.exe	95
PID 4784 wrote to memory of 2764	4784	ae4680653e941cc1c9b90fb1976235e0N.exe	95
PID 4784 wrote to memory of 2764	4784	ae4680653e941cc1c9b90fb1976235e0N.exe	95
PID 4784 wrote to memory of 2764	4784	ae4680653e941cc1c9b90fb1976235e0N.exe	95
PID 4784 wrote to memory of 2764	4784	ae4680653e941cc1c9b90fb1976235e0N.exe	95
PID 4784 wrote to memory of 2764	4784	ae4680653e941cc1c9b90fb1976235e0N.exe	95
PID 4784 wrote to memory of 2764	4784	ae4680653e941cc1c9b90fb1976235e0N.exe	95
PID 4784 wrote to memory of 2764	4784	ae4680653e941cc1c9b90fb1976235e0N.exe	95
PID 2764 wrote to memory of 428	2764	ae4680653e941cc1c9b90fb1976235e0N.exe	96
PID 2764 wrote to memory of 428	2764	ae4680653e941cc1c9b90fb1976235e0N.exe	96
PID 2764 wrote to memory of 428	2764	ae4680653e941cc1c9b90fb1976235e0N.exe	96
PID 428 wrote to memory of 3908	428	explorrer32.exe	100
PID 428 wrote to memory of 3908	428	explorrer32.exe	100
PID 428 wrote to memory of 3908	428	explorrer32.exe	100
PID 428 wrote to memory of 3908	428	explorrer32.exe	100
PID 428 wrote to memory of 3908	428	explorrer32.exe	100
PID 428 wrote to memory of 3908	428	explorrer32.exe	100
PID 428 wrote to memory of 3908	428	explorrer32.exe	100
PID 428 wrote to memory of 3908	428	explorrer32.exe	100
PID 428 wrote to memory of 3164	428	explorrer32.exe	101
PID 428 wrote to memory of 3164	428	explorrer32.exe	101
PID 428 wrote to memory of 3164	428	explorrer32.exe	101
PID 428 wrote to memory of 3164	428	explorrer32.exe	101
PID 428 wrote to memory of 3164	428	explorrer32.exe	101
PID 428 wrote to memory of 3164	428	explorrer32.exe	101
PID 428 wrote to memory of 3164	428	explorrer32.exe	101
PID 428 wrote to memory of 3164	428	explorrer32.exe	101
PID 428 wrote to memory of 3164	428	explorrer32.exe	101
PID 428 wrote to memory of 3164	428	explorrer32.exe	101
PID 428 wrote to memory of 3164	428	explorrer32.exe	101
PID 428 wrote to memory of 3164	428	explorrer32.exe	101
PID 428 wrote to memory of 3164	428	explorrer32.exe	101
PID 3908 wrote to memory of 2120	3908	explorrer32.exe	102
PID 3908 wrote to memory of 2120	3908	explorrer32.exe	102
PID 3908 wrote to memory of 2120	3908	explorrer32.exe	102
PID 3908 wrote to memory of 2120	3908	explorrer32.exe	102
PID 3908 wrote to memory of 2120	3908	explorrer32.exe	102

C:\Users\Admin\AppData\Local\Temp\ae4680653e941cc1c9b90fb1976235e0N.exe
"C:\Users\Admin\AppData\Local\Temp\ae4680653e941cc1c9b90fb1976235e0N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Users\Admin\AppData\Local\Temp\ae4680653e941cc1c9b90fb1976235e0N.exe
  "C:\Users\Admin\AppData\Local\Temp\ae4680653e941cc1c9b90fb1976235e0N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Roaming\AppData\explorrer32.exe
    C:\Users\Admin\AppData\Roaming\AppData\explorrer32.exe -notray
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Users\Admin\AppData\Roaming\AppData\explorrer32.exe
      "C:\Users\Admin\AppData\Roaming\AppData\explorrer32.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3908
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        "C:\Windows\system32\ipconfig.exe"
        5⤵
        Gathers network information
        
        PID:2120
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 272
        6⤵
        Program crash
        
        PID:4492
  - - C:\Users\Admin\AppData\Roaming\AppData\explorrer32.exe
      "C:\Users\Admin\AppData\Roaming\AppData\explorrer32.exe"
      4⤵
      Executes dropped EXE
      PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2120 -ip 2120
1⤵
PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AppData\explorrer32.exe

Filesize
540KB

MD5
ce0062ad1ea00e92743916e952e25ddf

SHA1
e8e33b755157754f41b5546c5ac1ffbc232bfa95

SHA256
2035cb9cdb320f2b96c850069b5b800ae8cce210ec233a3f8ced940a09bc04df

SHA512
7643be9ce1f980329a7050e235af2dd1fc0964969cdbf5f74f681f3cb91553fb50d5106f7d58f1f58e2d034c45676f09428e5e328c6258f820767d7dec4120b4

Download Submit
memory/428-42-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/428-21-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2764-18-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2764-19-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2764-6-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2764-8-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3164-32-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3164-33-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3164-47-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3164-29-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3164-28-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3164-46-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3164-38-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3164-45-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3164-39-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3164-37-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3164-36-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3164-35-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3164-34-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3164-26-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3164-31-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3908-43-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4784-5-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/4784-3-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/4784-2-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/4784-4-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download