Overview

overview

5

Static

static

5

0c5c3f606d...56.exe

windows7-x64

5

0c5c3f606d...56.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-09-2024 01:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0c5c3f606d4a78f0504cf025f5b2d27b7693d217d2c4e004b348d84ca770df56.exe

  • Size

    1.1MB

  • MD5

    d7d20f5633562e2734a5c5708c0de4dc

  • SHA1

    94604404e30d61b3ccf93ab295ce6f16b3ace044

  • SHA256

    0c5c3f606d4a78f0504cf025f5b2d27b7693d217d2c4e004b348d84ca770df56

  • SHA512

    ab5c42326258620c3546c55a4e1976d8043f124b9ae56342630393b672c8a8380ff085a49138f1c6c202b9a150b4cfd3362f5ed7860640110806f19cf3dbfc49

  • SSDEEP

    24576:8AHnh+eWsN3skA4RV1Hom2KXMmHawemjZrj1YfNEB4V5:bh+ZkldoPK8Yawtrfc

Score
5/10
discovery

Malware Config

Signatures

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c5c3f606d4a78f0504cf025f5b2d27b7693d217d2c4e004b348d84ca770df56.exe
    "C:\Users\Admin\AppData\Local\Temp\0c5c3f606d4a78f0504cf025f5b2d27b7693d217d2c4e004b348d84ca770df56.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\0c5c3f606d4a78f0504cf025f5b2d27b7693d217d2c4e004b348d84ca770df56.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1696
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 776
      2⤵
      • Program crash
      PID:3436
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1956 -ip 1956
    1⤵
      PID:1752

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\autB323.tmp
      Filesize

      280KB

      MD5

      eabbd33ba170ee93510d3716bdac7997

      SHA1

      cb4c1d486029b108b89dbf604fdb0e5dec42976f

      SHA256

      213952fff3106a6615e788d961aa56d9947034463e7ce0cbdee4fe576b1cf593

      SHA512

      4a31d33a326f3acc5053e395df851005be078a9e2263dedf7c8b1e900296d3045bd11741b4c962063a677a4dd37a97b24b509fe730b15b713bc16ceb89b0de6f

      Download Submit

    • memory/1696-14-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/1696-15-0x0000000001000000-0x000000000134A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1696-16-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/1696-17-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/1956-13-0x0000000001540000-0x0000000001544000-memory.dmp

      Filesize

      16KB

      Download