Analysis
-
max time kernel
108s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22/08/2024, 18:45
Static task
static1
Behavioral task
behavioral1
Sample
077a4447e4dc73de0fdddb4416ad5550N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
077a4447e4dc73de0fdddb4416ad5550N.exe
Resource
win10v2004-20240802-en
General
-
Target
077a4447e4dc73de0fdddb4416ad5550N.exe
-
Size
640KB
-
MD5
077a4447e4dc73de0fdddb4416ad5550
-
SHA1
73a05a38ed794a2f7bdac2e983304a0905fa25d3
-
SHA256
26874faa895d0bd4098f5ea1a70f8553072f7d87c374b074ec5377ceb26dce42
-
SHA512
f02836a81be3e453be0221f84a5f6c6f9e5a72ca575a0980655779b85a9fc5308dd754d93d8e1d60c59684ec9c40d3afe16a2b5e2090a08b0055a10e1f01e485
-
SSDEEP
12288:wmz1UU6cSJQq9lnWhVQ5zCD4TyWN9VysX7ryTk2osi9:wmzjgQ4lnWhVQ5zY4xN9VyUUkV19
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 5088 077a4447e4dc73de0fdddb4416ad5550N.exe -
Executes dropped EXE 1 IoCs
pid Process 5088 077a4447e4dc73de0fdddb4416ad5550N.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 1656 4920 WerFault.exe 85 2784 5088 WerFault.exe 93 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 077a4447e4dc73de0fdddb4416ad5550N.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4920 077a4447e4dc73de0fdddb4416ad5550N.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 5088 077a4447e4dc73de0fdddb4416ad5550N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4920 wrote to memory of 5088 4920 077a4447e4dc73de0fdddb4416ad5550N.exe 93 PID 4920 wrote to memory of 5088 4920 077a4447e4dc73de0fdddb4416ad5550N.exe 93 PID 4920 wrote to memory of 5088 4920 077a4447e4dc73de0fdddb4416ad5550N.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\077a4447e4dc73de0fdddb4416ad5550N.exe"C:\Users\Admin\AppData\Local\Temp\077a4447e4dc73de0fdddb4416ad5550N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 3962⤵
- Program crash
PID:1656
-
-
C:\Users\Admin\AppData\Local\Temp\077a4447e4dc73de0fdddb4416ad5550N.exeC:\Users\Admin\AppData\Local\Temp\077a4447e4dc73de0fdddb4416ad5550N.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:5088 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 3643⤵
- Program crash
PID:2784
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4920 -ip 49201⤵PID:1384
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5088 -ip 50881⤵PID:2120
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
640KB
MD5094adc78f353b3f6078a4e09e1b85ba2
SHA17345c2871d776709d4a72b2d917e62228801afe4
SHA25690c72a9056edf65733aa42db5f6b472f4822adedc0b7127467ab2817c77d322d
SHA512de8a868dd23e5406d8dd61d133fa3a1aec2bdf05601911ad6c98097d89a4f93e51c93afa92cf7e371693df91be230b1e0282e7064afe353fad6c37bdb8d0ed7d