1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af

General

Target

1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe
Size

354KB
MD5

3688756f43ff292c6431c90f7928dec6
SHA1

dadf075fdc48d59398c97e3e9a83fcb45a75e02a
SHA256

1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af
SHA512

e7754f895eb8010f9aa65b476ece542ece987a5fa78cf8f4806086186f738619bd999a9f6ee416c6b64fd98dc45b05a6c20a9bb0ca1f26fe0478eee69763e4e8
SSDEEP

6144:7ogIz4+0PtWd4hNC2f38OdLdBTEK1DedgwbjBBJsDqB4DK0hH2I:7ogIzye2/8O9dSK1M3BBJsDqB4DK0ZL

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4140 set thread context of 3980	4140	1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe	86
PID 4140 set thread context of 4844	4140	1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe	87

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1972	3980	WerFault.exe	86
2972	4844	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4140	1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 3980	4140	1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe	86
PID 4140 wrote to memory of 3980	4140	1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe	86
PID 4140 wrote to memory of 3980	4140	1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe	86
PID 4140 wrote to memory of 3980	4140	1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe	86
PID 4140 wrote to memory of 3980	4140	1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe	86
PID 4140 wrote to memory of 3980	4140	1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe	86
PID 4140 wrote to memory of 3980	4140	1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe	86
PID 4140 wrote to memory of 3980	4140	1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe	86
PID 4140 wrote to memory of 4844	4140	1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe	87
PID 4140 wrote to memory of 4844	4140	1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe	87
PID 4140 wrote to memory of 4844	4140	1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe	87
PID 4140 wrote to memory of 4844	4140	1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe	87
PID 4140 wrote to memory of 4844	4140	1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe	87
PID 4140 wrote to memory of 4844	4140	1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe	87
PID 4140 wrote to memory of 4844	4140	1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe	87
PID 4140 wrote to memory of 4844	4140	1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe	87

C:\Users\Admin\AppData\Local\Temp\1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe
"C:\Users\Admin\AppData\Local\Temp\1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Users\Admin\AppData\Local\Temp\1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe
  C:\Users\Admin\AppData\Local\Temp\1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe
  2⤵
  PID:3980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 80
    3⤵
    - Program crash
    PID:1972
- C:\Users\Admin\AppData\Local\Temp\1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe
  C:\Users\Admin\AppData\Local\Temp\1c19018dec9dbe68fc48099c662be25062e7a43e6658bf396c6cc8fb2f6d21af.exe
  2⤵
  PID:4844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 80
    3⤵
    - Program crash
    PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3980 -ip 3980
1⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4844 -ip 4844
1⤵
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4140-0-0x000000007508E000-0x000000007508F000-memory.dmp

Filesize
4KB

Download
memory/4140-1-0x0000000000C80000-0x0000000000CE2000-memory.dmp

Filesize
392KB

Download
memory/4140-2-0x0000000005610000-0x0000000005616000-memory.dmp

Filesize
24KB

Download
memory/4140-4-0x000000000E200000-0x000000000E256000-memory.dmp

Filesize
344KB

Download
memory/4140-3-0x0000000075080000-0x0000000075830000-memory.dmp

Filesize
7.7MB

Download
memory/4140-5-0x000000000E2F0000-0x000000000E38C000-memory.dmp

Filesize
624KB

Download
memory/4140-6-0x000000000E940000-0x000000000EEE4000-memory.dmp

Filesize
5.6MB

Download
memory/4140-7-0x000000000E430000-0x000000000E4C2000-memory.dmp

Filesize
584KB

Download
memory/4140-8-0x0000000001820000-0x0000000001826000-memory.dmp

Filesize
24KB

Download
memory/4140-12-0x0000000075080000-0x0000000075830000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing