01001674575a869cbeb9a9063aae82184d1621b49a34a4435600c6987ff104a0

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deb0299f10c1c5bc231249190e559300N.exe
Size

2.3MB
MD5

deb0299f10c1c5bc231249190e559300
SHA1

83db4e7bfd398e9e778742a4cf98cb565e7b16e1
SHA256

01001674575a869cbeb9a9063aae82184d1621b49a34a4435600c6987ff104a0
SHA512

51bb77547f35b7f29934f3611e6f0dcccdff1999eced39a42188653de507b20aebff99269c21045057c0f5e9023b90860603573637bad1f43865fc5fe15a419f
SSDEEP

24576:6mrMjCIi2GVa/ZSkJovBYLYsSwdaJ+4h99Fm+ci2a/ZSrJovBY:6mraig+h7Q+F2g

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2140	deb0299f10c1c5bc231249190e559300N.exe

Executes dropped EXE 1 IoCs

pid	Process
2140	deb0299f10c1c5bc231249190e559300N.exe

Loads dropped DLL 4 IoCs

pid	Process
2084	deb0299f10c1c5bc231249190e559300N.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2648	2140	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	deb0299f10c1c5bc231249190e559300N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	deb0299f10c1c5bc231249190e559300N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2084	deb0299f10c1c5bc231249190e559300N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2140	deb0299f10c1c5bc231249190e559300N.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2140	2084	deb0299f10c1c5bc231249190e559300N.exe	31
PID 2084 wrote to memory of 2140	2084	deb0299f10c1c5bc231249190e559300N.exe	31
PID 2084 wrote to memory of 2140	2084	deb0299f10c1c5bc231249190e559300N.exe	31
PID 2084 wrote to memory of 2140	2084	deb0299f10c1c5bc231249190e559300N.exe	31
PID 2140 wrote to memory of 2648	2140	deb0299f10c1c5bc231249190e559300N.exe	32
PID 2140 wrote to memory of 2648	2140	deb0299f10c1c5bc231249190e559300N.exe	32
PID 2140 wrote to memory of 2648	2140	deb0299f10c1c5bc231249190e559300N.exe	32
PID 2140 wrote to memory of 2648	2140	deb0299f10c1c5bc231249190e559300N.exe	32

C:\Users\Admin\AppData\Local\Temp\deb0299f10c1c5bc231249190e559300N.exe
"C:\Users\Admin\AppData\Local\Temp\deb0299f10c1c5bc231249190e559300N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\deb0299f10c1c5bc231249190e559300N.exe
  C:\Users\Admin\AppData\Local\Temp\deb0299f10c1c5bc231249190e559300N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 144
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\deb0299f10c1c5bc231249190e559300N.exe

Filesize
2.3MB

MD5
f3bbf382aece5b840a9d68360185e04a

SHA1
af049ee8b12370366a1ab7491c346ad9a2d22624

SHA256
c3c22ae519d2c127b60b5b0a52d471244247f015bf2d66eea07a248fa21c182c

SHA512
bdd5d0dd8b36685f8a4b92e979c9f4c5cf528e3a7f224d0e95c1ffc0417a64254b96ac453e4125302f2954962291b5e8dbce3d69fee29a1c8b9e5a3e8bb4d127

Download Submit
memory/2084-0-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2084-7-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2140-9-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2140-10-0x0000000002E00000-0x0000000002EED000-memory.dmp

Filesize
948KB

Download
memory/2140-14-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download