55a429119b44fdf2d9525c405a57f351888e06ec14e630281ae880018df2178c

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6349d89432b27f293cd083ea6cc2c450N.exe
Size

53KB
MD5

6349d89432b27f293cd083ea6cc2c450
SHA1

9d6612593773f85a3f79b2b6f4a920125a9de0e2
SHA256

55a429119b44fdf2d9525c405a57f351888e06ec14e630281ae880018df2178c
SHA512

46bbcbdf676bb755decb3dfa3d812d0d7b379bdaab7ed28fb6e89d1d77407cc7029b185d447e2b16a96386757353b6b625cb83abc30a1d36fc95ec751b73ae51
SSDEEP

1536:vNcg8r8QpX3pyi7Kp3StjEMjmLM3ztDJWZsXy4JzxPMU:CX3IiJJjmLM3zRJWZsXy4Jd

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	6349d89432b27f293cd083ea6cc2c450N.exe

Executes dropped EXE 1 IoCs

pid	Process
4704	piouri.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3316	4344	WerFault.exe	81
4548	4704	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6349d89432b27f293cd083ea6cc2c450N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	piouri.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4344	6349d89432b27f293cd083ea6cc2c450N.exe
4704	piouri.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 4704	4344	6349d89432b27f293cd083ea6cc2c450N.exe	86
PID 4344 wrote to memory of 4704	4344	6349d89432b27f293cd083ea6cc2c450N.exe	86
PID 4344 wrote to memory of 4704	4344	6349d89432b27f293cd083ea6cc2c450N.exe	86

C:\Users\Admin\AppData\Local\Temp\6349d89432b27f293cd083ea6cc2c450N.exe
"C:\Users\Admin\AppData\Local\Temp\6349d89432b27f293cd083ea6cc2c450N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Users\Admin\piouri.exe
  "C:\Users\Admin\piouri.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 676
    3⤵
    - Program crash
    PID:4548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 960
  2⤵
  - Program crash
  PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4344 -ip 4344
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4704 -ip 4704
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\piouri.exe

Filesize
53KB

MD5
f0a6faf20c37febbc8e995c9e6a2d35e

SHA1
cd6bb212c701851c21bb8219a37a3f4fa0771fc5

SHA256
f9e10aaf32d602b75d1e3aa28e9ccbcdbbfa2d2c1f860d980c78ccf40b6b6594

SHA512
bce0baffdbae1ab1e0cfdfe8ca80d8917590fcf63568e214c9016da170817fd7e933ac16711339eb68e73beda8b805dcbf69a7131127e858dca652eb0a0ba168

Download Submit
memory/4344-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4344-37-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4704-33-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4704-38-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download