55a429119b44fdf2d9525c405a57f351888e06ec14e630281ae880018df2178c

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6349d89432b27f293cd083ea6cc2c450N.exe
Size

53KB
MD5

6349d89432b27f293cd083ea6cc2c450
SHA1

9d6612593773f85a3f79b2b6f4a920125a9de0e2
SHA256

55a429119b44fdf2d9525c405a57f351888e06ec14e630281ae880018df2178c
SHA512

46bbcbdf676bb755decb3dfa3d812d0d7b379bdaab7ed28fb6e89d1d77407cc7029b185d447e2b16a96386757353b6b625cb83abc30a1d36fc95ec751b73ae51
SSDEEP

1536:vNcg8r8QpX3pyi7Kp3StjEMjmLM3ztDJWZsXy4JzxPMU:CX3IiJJjmLM3zRJWZsXy4Jd

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2908	qeuom.exe

Loads dropped DLL 7 IoCs

pid	Process
2736	6349d89432b27f293cd083ea6cc2c450N.exe
2736	6349d89432b27f293cd083ea6cc2c450N.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2552	2736	WerFault.exe	29
2540	2908	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6349d89432b27f293cd083ea6cc2c450N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qeuom.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2736	6349d89432b27f293cd083ea6cc2c450N.exe
2908	qeuom.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2908	2736	6349d89432b27f293cd083ea6cc2c450N.exe	30
PID 2736 wrote to memory of 2908	2736	6349d89432b27f293cd083ea6cc2c450N.exe	30
PID 2736 wrote to memory of 2908	2736	6349d89432b27f293cd083ea6cc2c450N.exe	30
PID 2736 wrote to memory of 2908	2736	6349d89432b27f293cd083ea6cc2c450N.exe	30
PID 2736 wrote to memory of 2552	2736	6349d89432b27f293cd083ea6cc2c450N.exe	31
PID 2736 wrote to memory of 2552	2736	6349d89432b27f293cd083ea6cc2c450N.exe	31
PID 2736 wrote to memory of 2552	2736	6349d89432b27f293cd083ea6cc2c450N.exe	31
PID 2736 wrote to memory of 2552	2736	6349d89432b27f293cd083ea6cc2c450N.exe	31
PID 2908 wrote to memory of 2540	2908	qeuom.exe	32
PID 2908 wrote to memory of 2540	2908	qeuom.exe	32
PID 2908 wrote to memory of 2540	2908	qeuom.exe	32
PID 2908 wrote to memory of 2540	2908	qeuom.exe	32

C:\Users\Admin\AppData\Local\Temp\6349d89432b27f293cd083ea6cc2c450N.exe
"C:\Users\Admin\AppData\Local\Temp\6349d89432b27f293cd083ea6cc2c450N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\qeuom.exe
  "C:\Users\Admin\qeuom.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 280
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 496
  2⤵
  - Program crash
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\qeuom.exe

Filesize
53KB

MD5
9c63a7eab777b490f71786d4bff2dfb2

SHA1
01a29eedca133679b52c750ab0f8bdcd6cdcaf9e

SHA256
c08f0c037078389dac422b2cb52556b2145542c2371b86617ce11f2fbfccb6bf

SHA512
ea83056c910a1318a1ae4bca5c02f23e32c0e460acd48f37b9cccef619a898ce3dee3301919d74c40662bd2dbf119dd5c8dea683ba7da7dd4cf577e54529008a

Download Submit
memory/2736-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2736-14-0x0000000003840000-0x0000000003852000-memory.dmp

Filesize
72KB

Download
memory/2736-13-0x0000000003840000-0x0000000003852000-memory.dmp

Filesize
72KB

Download
memory/2736-25-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2736-26-0x0000000003840000-0x0000000003852000-memory.dmp

Filesize
72KB

Download
memory/2736-27-0x0000000003840000-0x0000000003852000-memory.dmp

Filesize
72KB

Download
memory/2908-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2908-28-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download