c21ed8a57209535e93c20b23772cfcfd3b07fcebeb2de7707c66f774f13a00b8

Analysis

max time kernel
13s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c21ed8a57209535e93c20b23772cfcfd3b07fcebeb2de7707c66f774f13a00b8.exe
Size

533KB
MD5

961da6366aa27edbd68cdd5dc5ed5cb8
SHA1

fbef4e3255ec8da0c956accad20fd1701093ac5f
SHA256

c21ed8a57209535e93c20b23772cfcfd3b07fcebeb2de7707c66f774f13a00b8
SHA512

2d4c00ce8d56a0680a5c79a782bcbc34116ebd8c28551e57ba780350440ae50adb47e402df5d1b6f2000ab7b25d53969e1d9c0eb5ea4040c1e438dd939e3dda1
SSDEEP

12288:0D6+Hc63W+9oTr3c8pt6xnQL/vwFeQfcd/S6k:0DoL+yTr3cosVfcd/S6

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2828	ql4aj3qxazqtnecuwr3.exe

Loads dropped DLL 5 IoCs

pid	Process
2052	c21ed8a57209535e93c20b23772cfcfd3b07fcebeb2de7707c66f774f13a00b8.exe
2052	c21ed8a57209535e93c20b23772cfcfd3b07fcebeb2de7707c66f774f13a00b8.exe
2768	WerFault.exe
2768	WerFault.exe
2768	WerFault.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\uqdhcgazrcsd\f7b4rfoajv	c21ed8a57209535e93c20b23772cfcfd3b07fcebeb2de7707c66f774f13a00b8.exe
File created	C:\Windows\uqdhcgazrcsd\f7b4rfoajv	ql4aj3qxazqtnecuwr3.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2768	2828	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c21ed8a57209535e93c20b23772cfcfd3b07fcebeb2de7707c66f774f13a00b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ql4aj3qxazqtnecuwr3.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2828	2052	c21ed8a57209535e93c20b23772cfcfd3b07fcebeb2de7707c66f774f13a00b8.exe	29
PID 2052 wrote to memory of 2828	2052	c21ed8a57209535e93c20b23772cfcfd3b07fcebeb2de7707c66f774f13a00b8.exe	29
PID 2052 wrote to memory of 2828	2052	c21ed8a57209535e93c20b23772cfcfd3b07fcebeb2de7707c66f774f13a00b8.exe	29
PID 2052 wrote to memory of 2828	2052	c21ed8a57209535e93c20b23772cfcfd3b07fcebeb2de7707c66f774f13a00b8.exe	29
PID 2828 wrote to memory of 2768	2828	ql4aj3qxazqtnecuwr3.exe	30
PID 2828 wrote to memory of 2768	2828	ql4aj3qxazqtnecuwr3.exe	30
PID 2828 wrote to memory of 2768	2828	ql4aj3qxazqtnecuwr3.exe	30
PID 2828 wrote to memory of 2768	2828	ql4aj3qxazqtnecuwr3.exe	30

C:\Users\Admin\AppData\Local\Temp\c21ed8a57209535e93c20b23772cfcfd3b07fcebeb2de7707c66f774f13a00b8.exe
"C:\Users\Admin\AppData\Local\Temp\c21ed8a57209535e93c20b23772cfcfd3b07fcebeb2de7707c66f774f13a00b8.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052
- C:\uqdhcgazrcsd\ql4aj3qxazqtnecuwr3.exe
  "C:\uqdhcgazrcsd\ql4aj3qxazqtnecuwr3.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 176
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\uqdhcgazrcsd\f7b4rfoajv

Filesize
7B

MD5
facc8def0081ace528acc2fa81cf8cd1

SHA1
f60469055dc99902b6f9959c1950645bb94cf428

SHA256
1cf465cc96e1a1c17ce1ae9b883e4eae33b0209fe15e5703603a1ab7518ea3f0

SHA512
2dca95a08b6d976e3e69b58336097f832687756e3b8f6967e31b0160e8c73b246ed027eccbfa76ef02e1d416723baa41c0194b701bde7da111698b9751902a13

Download Submit
\uqdhcgazrcsd\ql4aj3qxazqtnecuwr3.exe

Filesize
533KB

MD5
961da6366aa27edbd68cdd5dc5ed5cb8

SHA1
fbef4e3255ec8da0c956accad20fd1701093ac5f

SHA256
c21ed8a57209535e93c20b23772cfcfd3b07fcebeb2de7707c66f774f13a00b8

SHA512
2d4c00ce8d56a0680a5c79a782bcbc34116ebd8c28551e57ba780350440ae50adb47e402df5d1b6f2000ab7b25d53969e1d9c0eb5ea4040c1e438dd939e3dda1

Download Submit