b07ef93ad281106b564e9c1c8f2c213f3864a4eea4bf2d8f8d4c84a49631308f

Analysis

max time kernel
118s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/08/2024, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

845e2bde2f5a2b007f69c641fa64f790N.exe
Size

589KB
MD5

845e2bde2f5a2b007f69c641fa64f790
SHA1

c4240332a166baafe603f1bfa4d2b1e1132e61fc
SHA256

b07ef93ad281106b564e9c1c8f2c213f3864a4eea4bf2d8f8d4c84a49631308f
SHA512

0be6155dd109369ad272bb45ce0f80188427e238abfe5e128e03aa4549e497a9d8cc5aad57c809f3029a27df025ca68f9738b96e5cfd2b130d4b6369669793e2
SSDEEP

6144:bCE6/mUXJ531nIUliViSZbLhaZfvMlLXICg2vj7OyzWxzRazUE1K52u8iqUNr63:F6TOUMBQf0ljW2vj7OyzoRaA+ei

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4540	1216	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	845e2bde2f5a2b007f69c641fa64f790N.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1216	winver.exe
1216	winver.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1216	winver.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3440	Explorer.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 1216	4912	845e2bde2f5a2b007f69c641fa64f790N.exe	88
PID 4912 wrote to memory of 1216	4912	845e2bde2f5a2b007f69c641fa64f790N.exe	88
PID 4912 wrote to memory of 1216	4912	845e2bde2f5a2b007f69c641fa64f790N.exe	88
PID 4912 wrote to memory of 1216	4912	845e2bde2f5a2b007f69c641fa64f790N.exe	88
PID 1216 wrote to memory of 3440	1216	winver.exe	56
PID 1216 wrote to memory of 2932	1216	winver.exe	49

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2932

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3440
- C:\Users\Admin\AppData\Local\Temp\845e2bde2f5a2b007f69c641fa64f790N.exe
  "C:\Users\Admin\AppData\Local\Temp\845e2bde2f5a2b007f69c641fa64f790N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\SysWOW64\winver.exe
    winver
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 636
      4⤵
      Program crash
      PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1216 -ip 1216
1⤵
PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1216-18-0x00000000009F0000-0x00000000009F7000-memory.dmp

Filesize
28KB

Download
memory/1216-4-0x00000000009F0000-0x00000000009F7000-memory.dmp

Filesize
28KB

Download
memory/1216-6-0x00000000009F0000-0x00000000009F7000-memory.dmp

Filesize
28KB

Download
memory/1216-10-0x00000000770D2000-0x00000000770D3000-memory.dmp

Filesize
4KB

Download
memory/2932-15-0x0000000000490000-0x0000000000497000-memory.dmp

Filesize
28KB

Download
memory/2932-14-0x0000000000490000-0x0000000000497000-memory.dmp

Filesize
28KB

Download
memory/3440-9-0x0000000001400000-0x0000000001407000-memory.dmp

Filesize
28KB

Download
memory/3440-11-0x00007FFCD926D000-0x00007FFCD926E000-memory.dmp

Filesize
4KB

Download
memory/4912-3-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4912-13-0x0000000000400000-0x0000000000404A00-memory.dmp

Filesize
18KB

Download
memory/4912-0-0x0000000000410000-0x0000000000413000-memory.dmp

Filesize
12KB

Download
memory/4912-2-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4912-1-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download