f98b8c6be528239e0ebe3622dadb5157e823089ab9b6b24b64a6282de1e9f38e

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f98b8c6be528239e0ebe3622dadb5157e823089ab9b6b24b64a6282de1e9f38e.exe
Size

1.1MB
MD5

ee42283ee642860f25d8e20a5717882b
SHA1

97b007747754d6018b531106030cb24d6d84fa87
SHA256

f98b8c6be528239e0ebe3622dadb5157e823089ab9b6b24b64a6282de1e9f38e
SHA512

fea04ec4d5060bf267b93fd1094b673178d549836071e201b045fd072af1c55c91c53d997810b4294d36bc59a00fa3eea662edf10c13fb96b40652028f0fa7f9
SSDEEP

24576:eqDEvCTbMWu7rQYlBQcBiT6rprG8abk23dVMfy:eTvC/MTQYxsWR7ablo

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 1 IoCs

pid	Process
1852	name.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0002000000022ab2-14.dat	autoit_exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4852	1852	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f98b8c6be528239e0ebe3622dadb5157e823089ab9b6b24b64a6282de1e9f38e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1852	name.exe
1852	name.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2292	f98b8c6be528239e0ebe3622dadb5157e823089ab9b6b24b64a6282de1e9f38e.exe
2292	f98b8c6be528239e0ebe3622dadb5157e823089ab9b6b24b64a6282de1e9f38e.exe
1852	name.exe
1852	name.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2292	f98b8c6be528239e0ebe3622dadb5157e823089ab9b6b24b64a6282de1e9f38e.exe
2292	f98b8c6be528239e0ebe3622dadb5157e823089ab9b6b24b64a6282de1e9f38e.exe
1852	name.exe
1852	name.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 1852	2292	f98b8c6be528239e0ebe3622dadb5157e823089ab9b6b24b64a6282de1e9f38e.exe	86
PID 2292 wrote to memory of 1852	2292	f98b8c6be528239e0ebe3622dadb5157e823089ab9b6b24b64a6282de1e9f38e.exe	86
PID 2292 wrote to memory of 1852	2292	f98b8c6be528239e0ebe3622dadb5157e823089ab9b6b24b64a6282de1e9f38e.exe	86
PID 1852 wrote to memory of 2228	1852	name.exe	87
PID 1852 wrote to memory of 2228	1852	name.exe	87
PID 1852 wrote to memory of 2228	1852	name.exe	87

C:\Users\Admin\AppData\Local\Temp\f98b8c6be528239e0ebe3622dadb5157e823089ab9b6b24b64a6282de1e9f38e.exe
"C:\Users\Admin\AppData\Local\Temp\f98b8c6be528239e0ebe3622dadb5157e823089ab9b6b24b64a6282de1e9f38e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\f98b8c6be528239e0ebe3622dadb5157e823089ab9b6b24b64a6282de1e9f38e.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\f98b8c6be528239e0ebe3622dadb5157e823089ab9b6b24b64a6282de1e9f38e.exe"
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 696
    3⤵
    - Program crash
    PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1852 -ip 1852
1⤵
PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Milburt

Filesize
129KB

MD5
394e4805646d0012dfc15a2dde8e5f0a

SHA1
e019c4d8130b44fbd6171a1e5750763c577e7d91

SHA256
126968888c06702939bdf24dc9b5cef368d9337ff624e0d68ee2b99e24fb720b

SHA512
1f282dd549a1749e083f4fce2075d84a7ce4b5855edf5a2ef1d14a09c67ff024f3e91c7114c764f1eb7e46b329b44432de7c366979424623f34706f2e016a002

Download Submit
C:\Users\Admin\AppData\Local\Temp\intemeration

Filesize
84KB

MD5
2834b827926c7cf2b4f954a9fb7f23f6

SHA1
b771fffbc6ad71da908061b4eaac0860b4cae9ca

SHA256
b32aaa9bfff82c89775e121e444bc266e28ccd757e28f4f8814695f14df4692a

SHA512
1abc6833134ee33573bba3031efe68616f99096756b332e8ef01eeb415a530a9dee74506a15dda6d379a92c6428318a8426a062e8421db4d26067202f012d39d

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
1.1MB

MD5
ee42283ee642860f25d8e20a5717882b

SHA1
97b007747754d6018b531106030cb24d6d84fa87

SHA256
f98b8c6be528239e0ebe3622dadb5157e823089ab9b6b24b64a6282de1e9f38e

SHA512
fea04ec4d5060bf267b93fd1094b673178d549836071e201b045fd072af1c55c91c53d997810b4294d36bc59a00fa3eea662edf10c13fb96b40652028f0fa7f9

Download Submit
memory/2292-11-0x0000000003FD0000-0x0000000003FD4000-memory.dmp

Filesize
16KB

Download