acb6b992dbf4db4e6280033a25027ad5c927ee3c00770e7c9b5411015f4f7aca

Analysis

max time kernel
83s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 20:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

18adffcc0b98bfa2f2ec16b619b43700N.exe
Size

53KB
MD5

18adffcc0b98bfa2f2ec16b619b43700
SHA1

a87d360b85435edb69eab98ed2622d2b279093db
SHA256

acb6b992dbf4db4e6280033a25027ad5c927ee3c00770e7c9b5411015f4f7aca
SHA512

85f08753c67d76ce05f7149795134820f65cb1d2716adfca621cf6f6b47dc11cb3c800f0ddab55d516563f99580dd16d65a19482fa50be636aedf38f0b37848f
SSDEEP

1536:ONRg8r8QxEw2rs/7Kp3StjEMjmLM3ztDJWZsXy4JzxPMk:9w2rs/JJjmLM3zRJWZsXy4Jt

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2672	qeiozi.exe

Loads dropped DLL 7 IoCs

pid	Process
2380	18adffcc0b98bfa2f2ec16b619b43700N.exe
2380	18adffcc0b98bfa2f2ec16b619b43700N.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3004	2380	WerFault.exe	29
2220	2672	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qeiozi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	18adffcc0b98bfa2f2ec16b619b43700N.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2380	18adffcc0b98bfa2f2ec16b619b43700N.exe
2672	qeiozi.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2672	2380	18adffcc0b98bfa2f2ec16b619b43700N.exe	30
PID 2380 wrote to memory of 2672	2380	18adffcc0b98bfa2f2ec16b619b43700N.exe	30
PID 2380 wrote to memory of 2672	2380	18adffcc0b98bfa2f2ec16b619b43700N.exe	30
PID 2380 wrote to memory of 2672	2380	18adffcc0b98bfa2f2ec16b619b43700N.exe	30
PID 2380 wrote to memory of 3004	2380	18adffcc0b98bfa2f2ec16b619b43700N.exe	31
PID 2380 wrote to memory of 3004	2380	18adffcc0b98bfa2f2ec16b619b43700N.exe	31
PID 2380 wrote to memory of 3004	2380	18adffcc0b98bfa2f2ec16b619b43700N.exe	31
PID 2380 wrote to memory of 3004	2380	18adffcc0b98bfa2f2ec16b619b43700N.exe	31
PID 2672 wrote to memory of 2220	2672	qeiozi.exe	32
PID 2672 wrote to memory of 2220	2672	qeiozi.exe	32
PID 2672 wrote to memory of 2220	2672	qeiozi.exe	32
PID 2672 wrote to memory of 2220	2672	qeiozi.exe	32

C:\Users\Admin\AppData\Local\Temp\18adffcc0b98bfa2f2ec16b619b43700N.exe
"C:\Users\Admin\AppData\Local\Temp\18adffcc0b98bfa2f2ec16b619b43700N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\qeiozi.exe
  "C:\Users\Admin\qeiozi.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 280
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 524
  2⤵
  - Program crash
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\qeiozi.exe

Filesize
53KB

MD5
44def8f549f484d7904bf4ffa882e213

SHA1
5a4c44679d766e2caec9509a29ecba93c169a2b5

SHA256
78be4cb5a69ce494904b8d814e466d2292df3b89cdc58986d242de85262eeb9c

SHA512
71b9ea8ae3c41addaa519b8d99a9bddcd1fc6be03c355e31b800672efec93a4dad969a42ac007d6d07b5967dbbdc8106ab78d1e489db9812faa4a6e432509165

Download Submit
memory/2380-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2380-8-0x0000000003660000-0x0000000003672000-memory.dmp

Filesize
72KB

Download
memory/2380-23-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2380-24-0x0000000003660000-0x0000000003672000-memory.dmp

Filesize
72KB

Download
memory/2672-25-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download