dbe61ef0146e91c83a7518aa01b9015299dfd3156925bf07aac753ef559ee567

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf85d6f1099131a711e28e3c8a962cb0N.exe
Size

6.7MB
MD5

cf85d6f1099131a711e28e3c8a962cb0
SHA1

2455c4156489c7b51d3245019233fbe786e10b48
SHA256

dbe61ef0146e91c83a7518aa01b9015299dfd3156925bf07aac753ef559ee567
SHA512

684b8d22783166eb8d762805c21a23b4837498ae2f167f4ee06a4a618963771a886517aa7312ecc913c43b5ad4793b5d9e81b7a95d10047a42bf30819c5e2283
SSDEEP

49152:YgvNy6xgxbV8xgClgCo/ugD8xgClgoyTIgDL:ZpIbV8ztaZ8z3KvL

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2556	cf85d6f1099131a711e28e3c8a962cb0N.exe

Executes dropped EXE 1 IoCs

pid	Process
2556	cf85d6f1099131a711e28e3c8a962cb0N.exe

Loads dropped DLL 4 IoCs

pid	Process
2528	cf85d6f1099131a711e28e3c8a962cb0N.exe
2100	WerFault.exe
2100	WerFault.exe
2100	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2100	2556	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf85d6f1099131a711e28e3c8a962cb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf85d6f1099131a711e28e3c8a962cb0N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2528	cf85d6f1099131a711e28e3c8a962cb0N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2556	cf85d6f1099131a711e28e3c8a962cb0N.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2556	2528	cf85d6f1099131a711e28e3c8a962cb0N.exe	31
PID 2528 wrote to memory of 2556	2528	cf85d6f1099131a711e28e3c8a962cb0N.exe	31
PID 2528 wrote to memory of 2556	2528	cf85d6f1099131a711e28e3c8a962cb0N.exe	31
PID 2528 wrote to memory of 2556	2528	cf85d6f1099131a711e28e3c8a962cb0N.exe	31
PID 2556 wrote to memory of 2100	2556	cf85d6f1099131a711e28e3c8a962cb0N.exe	32
PID 2556 wrote to memory of 2100	2556	cf85d6f1099131a711e28e3c8a962cb0N.exe	32
PID 2556 wrote to memory of 2100	2556	cf85d6f1099131a711e28e3c8a962cb0N.exe	32
PID 2556 wrote to memory of 2100	2556	cf85d6f1099131a711e28e3c8a962cb0N.exe	32

C:\Users\Admin\AppData\Local\Temp\cf85d6f1099131a711e28e3c8a962cb0N.exe
"C:\Users\Admin\AppData\Local\Temp\cf85d6f1099131a711e28e3c8a962cb0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\cf85d6f1099131a711e28e3c8a962cb0N.exe
  C:\Users\Admin\AppData\Local\Temp\cf85d6f1099131a711e28e3c8a962cb0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 144
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\cf85d6f1099131a711e28e3c8a962cb0N.exe

Filesize
6.7MB

MD5
13bb39452e337d24bab97efb9a8f4451

SHA1
be5d0bddacb8872ab309d1249979795403805602

SHA256
8f06ad19a29c197c9c74be61a2309e63cc1a25dd3a7618856a0ef4b39dc8e6cc

SHA512
06f9e1fd6e1ee5e66c062e83cb686fc73c2763e2a1fad96f2335045901ed1da63e3e81642ddb3e0c1dd3d01bff6d69bf632a705191e36e18779d86f811260048

Download Submit
memory/2528-0-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2528-9-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2528-7-0x0000000002D50000-0x0000000002E43000-memory.dmp

Filesize
972KB

Download
memory/2556-10-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2556-11-0x0000000002E90000-0x0000000002F83000-memory.dmp

Filesize
972KB

Download
memory/2556-15-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download