4db96fd8f1f2c35749d97549f4ce73f82269ce1133af52bd4f9eb6f142345ba8

Analysis

max time kernel
114s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 18:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

166b1dae3c1d1e766c8caab87e3c7720N.exe
Size

268KB
MD5

166b1dae3c1d1e766c8caab87e3c7720
SHA1

b012890241ef3d1057b10f58b63811102196118d
SHA256

4db96fd8f1f2c35749d97549f4ce73f82269ce1133af52bd4f9eb6f142345ba8
SHA512

6dc71ec94e09cadf1099120723953274907a414a85bdef19b8b0f73abe0e9f86dde880655224deb237ee645c735767e4219162f06e612ed92070c8419c0c2640
SSDEEP

3072:txM7ElaQyh0OuKFwwyZRT4NWHtmbghAycVQt7mvClM9PROOoEkUZ:t8caQyzuKLhOtmbCkU7da9Pno

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4568	166b1dae3c1d1e766c8caab87e3c7720N.exe

Executes dropped EXE 1 IoCs

pid	Process
4568	166b1dae3c1d1e766c8caab87e3c7720N.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3664	976	WerFault.exe	90
988	4568	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	166b1dae3c1d1e766c8caab87e3c7720N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
976	166b1dae3c1d1e766c8caab87e3c7720N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4568	166b1dae3c1d1e766c8caab87e3c7720N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 4568	976	166b1dae3c1d1e766c8caab87e3c7720N.exe	99
PID 976 wrote to memory of 4568	976	166b1dae3c1d1e766c8caab87e3c7720N.exe	99
PID 976 wrote to memory of 4568	976	166b1dae3c1d1e766c8caab87e3c7720N.exe	99

C:\Users\Admin\AppData\Local\Temp\166b1dae3c1d1e766c8caab87e3c7720N.exe
"C:\Users\Admin\AppData\Local\Temp\166b1dae3c1d1e766c8caab87e3c7720N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 396
  2⤵
  - Program crash
  PID:3664
- C:\Users\Admin\AppData\Local\Temp\166b1dae3c1d1e766c8caab87e3c7720N.exe
  C:\Users\Admin\AppData\Local\Temp\166b1dae3c1d1e766c8caab87e3c7720N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 364
    3⤵
    - Program crash
    PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 976 -ip 976
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4568 -ip 4568
1⤵
PID:840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4220,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:8
1⤵
PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\166b1dae3c1d1e766c8caab87e3c7720N.exe

Filesize
268KB

MD5
cdd710b34b1f4acdead9f4b74e82c309

SHA1
05aa885062f62348cc82ab8f06f2cbd5a4b25408

SHA256
2a93413706d45896a24bb766069d4a0fd9f201ed49c5b7b54384a05f1402fcdb

SHA512
0e0c433f29a5e80b3513d319a71742a245194b3598ad0d466d16b5d0884454df64fdf970c59cc44bdd903b0fd638c41b18fc75a107127ddb02ac6b7a7b7bc197

Download Submit
memory/976-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/976-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4568-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4568-14-0x0000000004E30000-0x0000000004E73000-memory.dmp

Filesize
268KB

Download
memory/4568-9-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4568-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download