fbf826265e7f0a4d6b3db01f4ff96b30183e93bab1d6226df01b1becdddf70eb

Analysis

max time kernel
104s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9e4ef6504c168c3834bb554ddbaf8f0N.exe
Size

372KB
MD5

a9e4ef6504c168c3834bb554ddbaf8f0
SHA1

57047ef52fa004baa8d4245311c3212a2ffd0964
SHA256

fbf826265e7f0a4d6b3db01f4ff96b30183e93bab1d6226df01b1becdddf70eb
SHA512

14aaf09d234e2bba07330b4a700ee9b7dc4facf616dccf4390f574dfcd06949b1aec12d45e9c7ae8718d1512250d9589e5ee58e4c755816aebcdb21807126c6a
SSDEEP

6144:BkLYyvZFsjpHQvXrlHyJzVJot3aERiLTwEYYs1Z:BkLYyourOWaE0TGY

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
860	sysctl.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	a9e4ef6504c168c3834bb554ddbaf8f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\realex.exe \"%1\" %*"	a9e4ef6504c168c3834bb554ddbaf8f0N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysctl.exe = "C:\\Windows\\system32\\sysctl.exe"	a9e4ef6504c168c3834bb554ddbaf8f0N.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sysctl.exe	a9e4ef6504c168c3834bb554ddbaf8f0N.exe
File created	C:\Windows\SysWOW64\realex.exe	a9e4ef6504c168c3834bb554ddbaf8f0N.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4328	860	WerFault.exe	84
3192	872	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9e4ef6504c168c3834bb554ddbaf8f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysctl.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	a9e4ef6504c168c3834bb554ddbaf8f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\realex.exe \"%1\" %*"	a9e4ef6504c168c3834bb554ddbaf8f0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 860	872	a9e4ef6504c168c3834bb554ddbaf8f0N.exe	84
PID 872 wrote to memory of 860	872	a9e4ef6504c168c3834bb554ddbaf8f0N.exe	84
PID 872 wrote to memory of 860	872	a9e4ef6504c168c3834bb554ddbaf8f0N.exe	84

C:\Users\Admin\AppData\Local\Temp\a9e4ef6504c168c3834bb554ddbaf8f0N.exe
"C:\Users\Admin\AppData\Local\Temp\a9e4ef6504c168c3834bb554ddbaf8f0N.exe"
1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\SysWOW64\sysctl.exe
  C:\Windows\system32\sysctl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 456
    3⤵
    - Program crash
    PID:4328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 488
  2⤵
  - Program crash
  PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 860 -ip 860
1⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 872 -ip 872
1⤵
PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sysctl.exe

Filesize
372KB

MD5
e9d218ac2e7fd2f8d174593912e9b947

SHA1
414c9cac07d194974695033a88c45a4bb471c38e

SHA256
fc36580b94165d884434f4a94e59ce46635a269a521016a7e002fa3f8c95b758

SHA512
6283eaa280f6d64098eed6067346f68862ce3c269041a0dc344bf86a51a041a93b678b4e9eac3a53122ecd40652e2e8a5d09012cdf8ae77bfe0771b93de0562d

Download Submit
memory/860-6-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/860-8-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/872-0-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/872-7-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads