Overview

overview

7

Static

static

3

3abccfd3a8...0N.exe

windows7-x64

7

3abccfd3a8...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    100s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-08-2024 15:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3abccfd3a85f85888dcbc2836859d290N.exe

  • Size

    5.0MB

  • MD5

    3abccfd3a85f85888dcbc2836859d290

  • SHA1

    75e8d70dc3f27adc32f34f346248bee7cb45f27d

  • SHA256

    81f99c5b0327626eb7d5a5e804df898ae26229f9e5f4a0f42c374ee9f8387d63

  • SHA512

    f47ae1ddd50d4c4ae29ad04777a7d14cdd78198bb9c1a2391da00ac187594432c1ee465c0b8964135b001268c614567232269e7a72a36e68f1312486e2292d10

  • SSDEEP

    98304:W2igfeezuE4KFtaEkQQQAEXytvZi8eue8RQQW1SjPI5VZhQQAEXytvZi8eue8:W2igGgxFtaEkQpOfpPChpO

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Program crash 15 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3abccfd3a85f85888dcbc2836859d290N.exe
    "C:\Users\Admin\AppData\Local\Temp\3abccfd3a85f85888dcbc2836859d290N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 352
      2⤵
      • Program crash
      PID:3936
    • C:\Users\Admin\AppData\Local\Temp\3abccfd3a85f85888dcbc2836859d290N.exe
      C:\Users\Admin\AppData\Local\Temp\3abccfd3a85f85888dcbc2836859d290N.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      PID:3196
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 344
        3⤵
        • Program crash
        PID:3300
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 636
        3⤵
        • Program crash
        PID:1320
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 676
        3⤵
        • Program crash
        PID:1884
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 668
        3⤵
        • Program crash
        PID:4184
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 700
        3⤵
        • Program crash
        PID:3176
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 904
        3⤵
        • Program crash
        PID:1488
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1408
        3⤵
        • Program crash
        PID:1668
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1524
        3⤵
        • Program crash
        PID:3468
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1480
        3⤵
        • Program crash
        PID:3660
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1696
        3⤵
        • Program crash
        PID:1756
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1656
        3⤵
        • Program crash
        PID:640
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1528
        3⤵
        • Program crash
        PID:1604
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1408
        3⤵
        • Program crash
        PID:3772
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1492
        3⤵
        • Program crash
        PID:1704
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1412 -ip 1412
    1⤵
      PID:3704
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3196 -ip 3196
      1⤵
        PID:4420
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3196 -ip 3196
        1⤵
          PID:656
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3196 -ip 3196
          1⤵
            PID:1380
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3196 -ip 3196
            1⤵
              PID:668
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3196 -ip 3196
              1⤵
                PID:2404
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3196 -ip 3196
                1⤵
                  PID:5088
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3196 -ip 3196
                  1⤵
                    PID:4848
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3196 -ip 3196
                    1⤵
                      PID:4280
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3196 -ip 3196
                      1⤵
                        PID:1052
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3196 -ip 3196
                        1⤵
                          PID:3532
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3196 -ip 3196
                          1⤵
                            PID:1044
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3196 -ip 3196
                            1⤵
                              PID:4044
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3196 -ip 3196
                              1⤵
                                PID:2536
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3196 -ip 3196
                                1⤵
                                  PID:1056

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Temp\3abccfd3a85f85888dcbc2836859d290N.exe
                                  Filesize

                                  5.0MB

                                  MD5

                                  baf476cba1ddf00e2ecef6da2fc0abda

                                  SHA1

                                  e2d5eaa7c2fc77ba0598e6dafa40d4b03875c62c

                                  SHA256

                                  5e6fbd6bbcc3fd80e3f0d1cf408be6cbe31262e63bca60525fe21a33f86cc426

                                  SHA512

                                  56acacb6d55fbba2cd0efbae16c8e4e653a2bf81e55d7646dd3ae18d6f828371fe622baa032274d896f179b6dbaef4ecb6e16f02657984a31327f61f8e014551

                                  Download Submit

                                • memory/1412-0-0x0000000000400000-0x00000000004F1000-memory.dmp

                                  Filesize

                                  964KB

                                  Download

                                • memory/1412-6-0x0000000000400000-0x00000000004F1000-memory.dmp

                                  Filesize

                                  964KB

                                  Download

                                • memory/3196-7-0x0000000000400000-0x00000000004F1000-memory.dmp

                                  Filesize

                                  964KB

                                  Download

                                • memory/3196-8-0x00000000050A0000-0x0000000005191000-memory.dmp

                                  Filesize

                                  964KB

                                  Download

                                • memory/3196-9-0x0000000000400000-0x00000000004A3000-memory.dmp

                                  Filesize

                                  652KB

                                  Download

                                • memory/3196-23-0x0000000000400000-0x0000000000443000-memory.dmp

                                  Filesize

                                  268KB

                                  Download

                                • memory/3196-29-0x000000000C810000-0x000000000C8B3000-memory.dmp

                                  Filesize

                                  652KB

                                  Download

                                • memory/3196-30-0x0000000000400000-0x00000000004F1000-memory.dmp

                                  Filesize

                                  964KB

                                  Download