a1981cc694e2616c831703946f3b50decf1bbc063d1a03808cd9ba6686f8d3e4

Analysis

max time kernel
114s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9dfaa7eddb5c3f51920e846f76a8710N.exe
Size

3.2MB
MD5

b9dfaa7eddb5c3f51920e846f76a8710
SHA1

60bc96033828e94413bd6e367b0f7a67000b71f9
SHA256

a1981cc694e2616c831703946f3b50decf1bbc063d1a03808cd9ba6686f8d3e4
SHA512

7cae6868ca69d376ad636150e4a60d743e099fd544e7ffab49df737787045a33657fdc43434edc488507d7fde77034112da0352617def1f054129ba37e9263e8
SSDEEP

49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1Nv:DBIKRAGRe5K2UZj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5116	e57852e.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4272	5116	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9dfaa7eddb5c3f51920e846f76a8710N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e57852e.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2000	b9dfaa7eddb5c3f51920e846f76a8710N.exe
2000	b9dfaa7eddb5c3f51920e846f76a8710N.exe
5116	e57852e.exe
5116	e57852e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 5116	2000	b9dfaa7eddb5c3f51920e846f76a8710N.exe	84
PID 2000 wrote to memory of 5116	2000	b9dfaa7eddb5c3f51920e846f76a8710N.exe	84
PID 2000 wrote to memory of 5116	2000	b9dfaa7eddb5c3f51920e846f76a8710N.exe	84

C:\Users\Admin\AppData\Local\Temp\b9dfaa7eddb5c3f51920e846f76a8710N.exe
"C:\Users\Admin\AppData\Local\Temp\b9dfaa7eddb5c3f51920e846f76a8710N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e57852e.exe
  C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e57852e.exe 240616765
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 1888
    3⤵
    - Program crash
    PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5116 -ip 5116
1⤵
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e57852e.exe

Filesize
3.2MB

MD5
6ee2b5b9d895c17e27913867434718ba

SHA1
58201ef3ed4a4482762f39879ac9da214ca9fac6

SHA256
31cd1a07f34e29e203655db805157a1f64fc6cbfc48b9bbb4f0507e9434348e2

SHA512
e8b14e50fbc594534ff62de630eeec1d40e48870f4394d84a354ddc494d7e2733bb51551ec1dd38eba429871d8a056c5e68eed1c75671e0835edd05d80dde72d

Download Submit
memory/2000-0-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2000-1-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2000-20-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/5116-16-0x000000007609A000-0x000000007609B000-memory.dmp

Filesize
4KB

Download
memory/5116-21-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download