Overview
overview
10Static
static
3086583686b...77.exe
windows7-x64
10086583686b...77.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3RollOver.js
windows7-x64
3RollOver.js
windows10-2004-x64
3caption.js
windows7-x64
3caption.js
windows10-2004-x64
3gestaltung...e.html
windows7-x64
3gestaltung...e.html
windows10-2004-x64
1uninst.exe
windows7-x64
7uninst.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-08-2024 18:34
Static task
static1
Behavioral task
behavioral1
Sample
086583686b2d70ff5a67cdd5c60de6770ca6cc1890f0ebe3df63173e32530477.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
086583686b2d70ff5a67cdd5c60de6770ca6cc1890f0ebe3df63173e32530477.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
RollOver.js
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
RollOver.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
caption.js
Resource
win7-20240705-en
Behavioral task
behavioral10
Sample
caption.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
gestaltungsbeispiele.html
Resource
win7-20240705-en
Behavioral task
behavioral12
Sample
gestaltungsbeispiele.html
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
uninst.exe
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
uninst.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
General
-
Target
uninst.exe
-
Size
88KB
-
MD5
dd37451855b1c957651e3d61375d6fee
-
SHA1
75557a1892a576cce122308879eb8c11cb91881a
-
SHA256
4a07e72720feddb54300bf7dc3d3d793870a7d6f960409132f302f3fbe54e995
-
SHA512
a16e6b50de39ad9111e1fa86c4fee8a0ff53951d63e5492be186cc2c8111f308fc6f4d9fb17d74eb6ba9c9209c39ffb77994c699a8b90cd0aa9a09031bc07a2b
-
SSDEEP
1536:3Tdm9B9lYypfMXvugHQ0D0VdQiNuQgmYRN5L9A5AuLwpPA5OZPAGTU:34lLpkXGED3iNuQxqZ9AEpPAcPAeU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Un_A.exepid process 3292 Un_A.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1320 3292 WerFault.exe Un_A.exe 1512 3292 WerFault.exe Un_A.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
uninst.exeUn_A.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uninst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Un_A.exe -
Modifies registry class 4 IoCs
Processes:
Un_A.exeuninst.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Un_A.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Un_A.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ uninst.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ uninst.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
uninst.exedescription pid process target process PID 3192 wrote to memory of 3292 3192 uninst.exe Un_A.exe PID 3192 wrote to memory of 3292 3192 uninst.exe Un_A.exe PID 3192 wrote to memory of 3292 3192 uninst.exe Un_A.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\uninst.exe"C:\Users\Admin\AppData\Local\Temp\uninst.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3292 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 12323⤵
- Program crash
PID:1320 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 12323⤵
- Program crash
PID:1512
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 3292 -ip 32921⤵PID:920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3292 -ip 32921⤵PID:1236
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exeFilesize
88KB
MD5dd37451855b1c957651e3d61375d6fee
SHA175557a1892a576cce122308879eb8c11cb91881a
SHA2564a07e72720feddb54300bf7dc3d3d793870a7d6f960409132f302f3fbe54e995
SHA512a16e6b50de39ad9111e1fa86c4fee8a0ff53951d63e5492be186cc2c8111f308fc6f4d9fb17d74eb6ba9c9209c39ffb77994c699a8b90cd0aa9a09031bc07a2b
-
memory/3192-0-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/3192-6-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/3292-10-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB