ce69abfa6ad1d9baa863812e1555ab1ecfa46e20a57625f338a320502bd9dd6f

Analysis

max time kernel
118s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3629aef0a732229e13fd1fd473297e0N.exe
Size

256KB
MD5

a3629aef0a732229e13fd1fd473297e0
SHA1

7ce426662dde1e2ba53ebbd51c47501d2217cc21
SHA256

ce69abfa6ad1d9baa863812e1555ab1ecfa46e20a57625f338a320502bd9dd6f
SHA512

bb9c2a9fdac3f3afe4c9fe5728ae3bb60143b289ad480ed8755590f5daae300560930818b3234d6606c02ec34dbf5f8e4c165746c7701cbc762f85cd66d7e6db
SSDEEP

3072:L9b44A+JlgMTChgH4hii2+ohCLtFs/usr1mV3tp77Er20JQuPu5UEHaDka+q4JNO:tzGM+hgHAii2+uCrOmVreG+EHOH4j

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3444	a3629aef0a732229e13fd1fd473297e0N.exe

Executes dropped EXE 1 IoCs

pid	Process
3444	a3629aef0a732229e13fd1fd473297e0N.exe

Program crash 5 IoCs

pid	pid_target	Process	procid_target
4004	3388	WerFault.exe	85
3584	3444	WerFault.exe	92
2884	3444	WerFault.exe	92
3044	3444	WerFault.exe	92
4848	3444	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3629aef0a732229e13fd1fd473297e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3629aef0a732229e13fd1fd473297e0N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3388	a3629aef0a732229e13fd1fd473297e0N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3444	a3629aef0a732229e13fd1fd473297e0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 3444	3388	a3629aef0a732229e13fd1fd473297e0N.exe	92
PID 3388 wrote to memory of 3444	3388	a3629aef0a732229e13fd1fd473297e0N.exe	92
PID 3388 wrote to memory of 3444	3388	a3629aef0a732229e13fd1fd473297e0N.exe	92

C:\Users\Admin\AppData\Local\Temp\a3629aef0a732229e13fd1fd473297e0N.exe
"C:\Users\Admin\AppData\Local\Temp\a3629aef0a732229e13fd1fd473297e0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 384
  2⤵
  - Program crash
  PID:4004
- C:\Users\Admin\AppData\Local\Temp\a3629aef0a732229e13fd1fd473297e0N.exe
  C:\Users\Admin\AppData\Local\Temp\a3629aef0a732229e13fd1fd473297e0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  PID:3444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 356
    3⤵
    - Program crash
    PID:3584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 768
    3⤵
    - Program crash
    PID:2884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 772
    3⤵
    - Program crash
    PID:3044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 768
    3⤵
    - Program crash
    PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3388 -ip 3388
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3444 -ip 3444
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3444 -ip 3444
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3444 -ip 3444
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3444 -ip 3444
1⤵
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a3629aef0a732229e13fd1fd473297e0N.exe

Filesize
256KB

MD5
f96c0010715b5041d6b3038a7dd6c4e2

SHA1
b0051890ce27c2c9615b989270c2afd542ae847b

SHA256
39f5ab7b66526cb39b52e68eb6ae76b85033c3f780f860c21389e772936c7ae7

SHA512
6101bc14f0355c8e7d705c4675dd2c9a1495a3c2e3178a92a515631747de1c1affc87f9a4c733cd9a11250d1b93d204f64b2168c0ec17f043812c9c2485e7f4b

Download Submit
memory/3388-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3388-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3444-6-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3444-9-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/3444-10-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3444-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download