Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/09/2024, 22:01
Static task
static1
Behavioral task
behavioral1
Sample
a9c6505ad020d7771df829f15d405bd0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
a9c6505ad020d7771df829f15d405bd0N.exe
Resource
win10v2004-20240802-en
General
-
Target
a9c6505ad020d7771df829f15d405bd0N.exe
-
Size
3.7MB
-
MD5
a9c6505ad020d7771df829f15d405bd0
-
SHA1
9b9b139d09cba729ff808fa203f6d152e978ac00
-
SHA256
885c252a449162949dac364e69e8b93d29d8794ce5f474219d236afe46641e1e
-
SHA512
a22beb257cf26d3f63e5c0227cf27605c6c9a2933a032216ab00204a511def18c1b36ec77d2a65a60df9c7db5fc24178e3253370993bbfa370566f04bc741c9a
-
SSDEEP
24576:2uLZMTc+FqzmLmwm+Fqzl+Fqzj+FqzmLmwq+FqzDl+Fqzj+FqmNmwq+FqzDl+Fql:2ulMTdttrZAtn
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 784 apvxpuv.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1476 set thread context of 784 1476 a9c6505ad020d7771df829f15d405bd0N.exe 83 -
Program crash 1 IoCs
pid pid_target Process procid_target 3628 784 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a9c6505ad020d7771df829f15d405bd0N.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1476 a9c6505ad020d7771df829f15d405bd0N.exe 1476 a9c6505ad020d7771df829f15d405bd0N.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1476 wrote to memory of 784 1476 a9c6505ad020d7771df829f15d405bd0N.exe 83 PID 1476 wrote to memory of 784 1476 a9c6505ad020d7771df829f15d405bd0N.exe 83 PID 1476 wrote to memory of 784 1476 a9c6505ad020d7771df829f15d405bd0N.exe 83 PID 1476 wrote to memory of 784 1476 a9c6505ad020d7771df829f15d405bd0N.exe 83 PID 1476 wrote to memory of 784 1476 a9c6505ad020d7771df829f15d405bd0N.exe 83 PID 1476 wrote to memory of 784 1476 a9c6505ad020d7771df829f15d405bd0N.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9c6505ad020d7771df829f15d405bd0N.exe"C:\Users\Admin\AppData\Local\Temp\a9c6505ad020d7771df829f15d405bd0N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\apvxpuv.exeC:\Users\Admin\AppData\Local\Temp\apvxpuv.exe2⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 243⤵
- Program crash
PID:3628
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 784 -ip 7841⤵PID:2496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.0MB
MD5dfca5ec85ace299e6188f299d6337f93
SHA166470d31889bdfea9a2204ff37ae6afa52a3c5ca
SHA256bfe8b2f890c4de4fe1a2bd3770919e46d91f8d68689b72a1be7f36302325e235
SHA5126ba876c0389c166a7219fa00c35853b8910c317bdf4e37c2ebc18a9c773cb00fdfbaf5c06caa18c20a2ffe3f3f1d89fc4cda5cda90a5bafa8b0c5a6d29a7254e