dbe61ef0146e91c83a7518aa01b9015299dfd3156925bf07aac753ef559ee567

Analysis

max time kernel
114s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf85d6f1099131a711e28e3c8a962cb0N.exe
Size

6.7MB
MD5

cf85d6f1099131a711e28e3c8a962cb0
SHA1

2455c4156489c7b51d3245019233fbe786e10b48
SHA256

dbe61ef0146e91c83a7518aa01b9015299dfd3156925bf07aac753ef559ee567
SHA512

684b8d22783166eb8d762805c21a23b4837498ae2f167f4ee06a4a618963771a886517aa7312ecc913c43b5ad4793b5d9e81b7a95d10047a42bf30819c5e2283
SSDEEP

49152:YgvNy6xgxbV8xgClgCo/ugD8xgClgoyTIgDL:ZpIbV8ztaZ8z3KvL

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2364	cf85d6f1099131a711e28e3c8a962cb0N.exe

Executes dropped EXE 1 IoCs

pid	Process
2364	cf85d6f1099131a711e28e3c8a962cb0N.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3608	2392	WerFault.exe	90
2448	2364	WerFault.exe	98
2288	2364	WerFault.exe	98

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf85d6f1099131a711e28e3c8a962cb0N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2392	cf85d6f1099131a711e28e3c8a962cb0N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2364	cf85d6f1099131a711e28e3c8a962cb0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2364	2392	cf85d6f1099131a711e28e3c8a962cb0N.exe	98
PID 2392 wrote to memory of 2364	2392	cf85d6f1099131a711e28e3c8a962cb0N.exe	98
PID 2392 wrote to memory of 2364	2392	cf85d6f1099131a711e28e3c8a962cb0N.exe	98

C:\Users\Admin\AppData\Local\Temp\cf85d6f1099131a711e28e3c8a962cb0N.exe
"C:\Users\Admin\AppData\Local\Temp\cf85d6f1099131a711e28e3c8a962cb0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 352
  2⤵
  - Program crash
  PID:3608
- C:\Users\Admin\AppData\Local\Temp\cf85d6f1099131a711e28e3c8a962cb0N.exe
  C:\Users\Admin\AppData\Local\Temp\cf85d6f1099131a711e28e3c8a962cb0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 348
    3⤵
    - Program crash
    PID:2448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 384
    3⤵
    - Program crash
    PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2392 -ip 2392
1⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2364 -ip 2364
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2364 -ip 2364
1⤵
PID:652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4340,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=1904 /prefetch:8
1⤵
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cf85d6f1099131a711e28e3c8a962cb0N.exe

Filesize
6.7MB

MD5
7fff66686a55dfee4d1b2a33cdc79782

SHA1
d519758dc24739516b039888d6815d3cf72e3315

SHA256
65f2878cb549242b7dc16cc2825d10aa5356dc44e7b717b3af7a263c4fa0c9a1

SHA512
7744a9dc62acf2fe66b29f7bb8991a4a68d77988b4bf3e20638e712cefef51fdd491d4a22f17b04d0cac0150b571adf518fdbdd70faf33066c856e66a0215458

Download Submit
memory/2364-7-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2364-8-0x00000000016E0000-0x00000000017D3000-memory.dmp

Filesize
972KB

Download
memory/2364-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2392-0-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2392-6-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download