Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-08-2024 00:03
Static task
static1
Behavioral task
behavioral1
Sample
7a9cb63f5660ddb631210349fe5c3eb0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
7a9cb63f5660ddb631210349fe5c3eb0N.exe
Resource
win10v2004-20240802-en
General
-
Target
7a9cb63f5660ddb631210349fe5c3eb0N.exe
-
Size
237KB
-
MD5
7a9cb63f5660ddb631210349fe5c3eb0
-
SHA1
8f8053eb1bb223f44d1418a06caecaa1d5351d19
-
SHA256
9911d115fa9bf1334d2980c2dc922f1f2414f69a88c234cd45c57ea5929fe292
-
SHA512
351f63e46d21af6b42e74f49997ede8811c65133323848f0cf02e9b845fdb663e085294e488db0b72280d54baf791c476fd8b0b7e610a69af4b1b9fa4bfcbd6a
-
SSDEEP
6144:0A2P27yTAnKGw0hjFhSR/W1nyAJ9v0pMtRCpYQ:0ATuTAnKGwUAWVycQqgj
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2664 4756 WerFault.exe winver.exe 924 2528 WerFault.exe 7a9cb63f5660ddb631210349fe5c3eb0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7a9cb63f5660ddb631210349fe5c3eb0N.exewinver.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7a9cb63f5660ddb631210349fe5c3eb0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winver.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
7a9cb63f5660ddb631210349fe5c3eb0N.exepid process 2528 7a9cb63f5660ddb631210349fe5c3eb0N.exe 2528 7a9cb63f5660ddb631210349fe5c3eb0N.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3600 Explorer.EXE Token: SeCreatePagefilePrivilege 3600 Explorer.EXE Token: SeShutdownPrivilege 3600 Explorer.EXE Token: SeCreatePagefilePrivilege 3600 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
winver.exe7a9cb63f5660ddb631210349fe5c3eb0N.exepid process 4756 winver.exe 2528 7a9cb63f5660ddb631210349fe5c3eb0N.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3600 Explorer.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
7a9cb63f5660ddb631210349fe5c3eb0N.exewinver.exedescription pid process target process PID 2528 wrote to memory of 4756 2528 7a9cb63f5660ddb631210349fe5c3eb0N.exe winver.exe PID 2528 wrote to memory of 4756 2528 7a9cb63f5660ddb631210349fe5c3eb0N.exe winver.exe PID 2528 wrote to memory of 4756 2528 7a9cb63f5660ddb631210349fe5c3eb0N.exe winver.exe PID 2528 wrote to memory of 4756 2528 7a9cb63f5660ddb631210349fe5c3eb0N.exe winver.exe PID 4756 wrote to memory of 3600 4756 winver.exe Explorer.EXE PID 2528 wrote to memory of 3600 2528 7a9cb63f5660ddb631210349fe5c3eb0N.exe Explorer.EXE PID 2528 wrote to memory of 2652 2528 7a9cb63f5660ddb631210349fe5c3eb0N.exe sihost.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2652
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\7a9cb63f5660ddb631210349fe5c3eb0N.exe"C:\Users\Admin\AppData\Local\Temp\7a9cb63f5660ddb631210349fe5c3eb0N.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 3004⤵
- Program crash
PID:2664 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 8123⤵
- Program crash
PID:924
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
PID:2248
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4756 -ip 47561⤵PID:3888
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2528 -ip 25281⤵PID:392