8862bf429d0c8fffa6270e6eb83a844f45d975746c5787019c36f9f780b47025

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 04:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d0df934fac1e69f2c7dc664fa39bb610N.exe
Size

416KB
MD5

d0df934fac1e69f2c7dc664fa39bb610
SHA1

14dbe39871f28912eda58171fe175a9f01a6145f
SHA256

8862bf429d0c8fffa6270e6eb83a844f45d975746c5787019c36f9f780b47025
SHA512

bf337e334e5e41d5b9ea44e077721b4797b8f8b8ef5e5c7ea105d3cac3b4ba98db9e153cfe5cebb1146dd417e4b5c666dc57b9acda98d2c0e4af07c51c4d585d
SSDEEP

6144:cqjkWx4UFyaE8UVbda9KQU4Sv7sKGzWdDJboY4sJ9pALL7j1aFwoF:vH4UEaE8Upda9vU4E7G6D9d9pAi

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1836	d0df934fac1e69f2c7dc664fa39bb610N.exe

Executes dropped EXE 1 IoCs

pid	Process
1836	d0df934fac1e69f2c7dc664fa39bb610N.exe

Program crash 5 IoCs

pid	pid_target	Process	procid_target
3728	3348	WerFault.exe	82
4628	1836	WerFault.exe	89
1648	1836	WerFault.exe	89
2296	1836	WerFault.exe	89
2488	1836	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0df934fac1e69f2c7dc664fa39bb610N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0df934fac1e69f2c7dc664fa39bb610N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3348	d0df934fac1e69f2c7dc664fa39bb610N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1836	d0df934fac1e69f2c7dc664fa39bb610N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 1836	3348	d0df934fac1e69f2c7dc664fa39bb610N.exe	89
PID 3348 wrote to memory of 1836	3348	d0df934fac1e69f2c7dc664fa39bb610N.exe	89
PID 3348 wrote to memory of 1836	3348	d0df934fac1e69f2c7dc664fa39bb610N.exe	89

C:\Users\Admin\AppData\Local\Temp\d0df934fac1e69f2c7dc664fa39bb610N.exe
"C:\Users\Admin\AppData\Local\Temp\d0df934fac1e69f2c7dc664fa39bb610N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 384
  2⤵
  - Program crash
  PID:3728
- C:\Users\Admin\AppData\Local\Temp\d0df934fac1e69f2c7dc664fa39bb610N.exe
  C:\Users\Admin\AppData\Local\Temp\d0df934fac1e69f2c7dc664fa39bb610N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  PID:1836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 352
    3⤵
    - Program crash
    PID:4628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 768
    3⤵
    - Program crash
    PID:1648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 788
    3⤵
    - Program crash
    PID:2296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 772
    3⤵
    - Program crash
    PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3348 -ip 3348
1⤵
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1836 -ip 1836
1⤵
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1836 -ip 1836
1⤵
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1836 -ip 1836
1⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1836 -ip 1836
1⤵
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d0df934fac1e69f2c7dc664fa39bb610N.exe

Filesize
416KB

MD5
4f240c9c03e9855df1ac4f2657b7757f

SHA1
6cec305a72032d1e4233260e85ac67959e41b697

SHA256
55887b5f4d9fcd06203ab00322d549884c363a796385a26e51f5c0fa31763f1b

SHA512
d98317e2398a31a271ad5cfb7da035c01a99bd21f527b0053b921c96f052aaa96483debb54fb427d133408175d1b1901f7cff85e3b050ef7990484876f046d39

Download Submit
memory/1836-6-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1836-8-0x0000000004D70000-0x0000000004DA6000-memory.dmp

Filesize
216KB

Download
memory/1836-9-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1836-14-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3348-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3348-7-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download