Analysis

  • max time kernel
    102s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/08/2024, 09:35

General

  • Target

    fa0b9a4b83b167d048bd3776fe381a00N.exe

  • Size

    67KB

  • MD5

    fa0b9a4b83b167d048bd3776fe381a00

  • SHA1

    84b7fab62b61b073280b725529c05372fb04ada5

  • SHA256

    da942c072718aeb087055dc7d0eeab5aa41d5bcdf749d32a4474903fbbd280a8

  • SHA512

    73ea28e2db9dd878f3e927dc2f126c75a89ba6ad372f19e779d07235d3abb05a5374c92968550f1bbd25caa2d61cdde84c7249e7902b24bd8327977f98edd335

  • SSDEEP

    1536:mvlmziUNJM4sbA5E3C8JNScjNOxfxMXl37U+mAKeRQiR/Rj:mUziUNJMtCE3jAcIx5Mhg+mGeiVx

Score
10/10

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa0b9a4b83b167d048bd3776fe381a00N.exe
    "C:\Users\Admin\AppData\Local\Temp\fa0b9a4b83b167d048bd3776fe381a00N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\SysWOW64\Dmllipeg.exe
      C:\Windows\system32\Dmllipeg.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3664
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 408
        3⤵
        • Program crash
        PID:3028
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3664 -ip 3664
    1⤵
      PID:3116

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Dmllipeg.exe

      Filesize

      67KB

      MD5

      6705f167813fc7741c75910329189e80

      SHA1

      bc3ab6255119eb8d67d97c1998a4ee5bd890eede

      SHA256

      d3cf04f5ff56402576c379d087a27ade9bab37be62dff85a89ba39dd63869627

      SHA512

      d39317101bdbb0e101efc107e90906a3d907c56831f43b0c1561734cf9a731ec482e802b4e0269262831801adde0d0493aca0a5ddfdcb15ca64cf7401bc669e4

    • memory/2876-0-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

    • memory/2876-10-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

    • memory/3664-7-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

    • memory/3664-9-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB