1198722d28c836c4436d5920b08ccdf7723dd9bc2172ade53ab8a6145d3cf949

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1198722d28c836c4436d5920b08ccdf7723dd9bc2172ade53ab8a6145d3cf949N.exe
Size

448KB
MD5

5211e6a5be9aa3c2bbac809e82bca600
SHA1

5beab4f5eeb3a22a79e570f1e620844f9fac987e
SHA256

1198722d28c836c4436d5920b08ccdf7723dd9bc2172ade53ab8a6145d3cf949
SHA512

5d9a3facf188b1ff1603daa7c6019cefcf3c578eb2682140bc4d2f45541a920ed63d7e941de1a42f9613eda43eb2e44eb64c69580ba8bcfc9da4f2193eb5d1b2
SSDEEP

12288:42p8D02nXfpKzey5o6Xtg8kRahXkO1sYkqdG1BmVQ5zCD4TyWN9VN:4m2nXGQoTG1BmVQ5zY4xN9VN

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
720	1198722d28c836c4436d5920b08ccdf7723dd9bc2172ade53ab8a6145d3cf949N.exe

Executes dropped EXE 1 IoCs

pid	Process
720	1198722d28c836c4436d5920b08ccdf7723dd9bc2172ade53ab8a6145d3cf949N.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
776	4388	WerFault.exe	81
4008	720	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1198722d28c836c4436d5920b08ccdf7723dd9bc2172ade53ab8a6145d3cf949N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4388	1198722d28c836c4436d5920b08ccdf7723dd9bc2172ade53ab8a6145d3cf949N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
720	1198722d28c836c4436d5920b08ccdf7723dd9bc2172ade53ab8a6145d3cf949N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 720	4388	1198722d28c836c4436d5920b08ccdf7723dd9bc2172ade53ab8a6145d3cf949N.exe	86
PID 4388 wrote to memory of 720	4388	1198722d28c836c4436d5920b08ccdf7723dd9bc2172ade53ab8a6145d3cf949N.exe	86
PID 4388 wrote to memory of 720	4388	1198722d28c836c4436d5920b08ccdf7723dd9bc2172ade53ab8a6145d3cf949N.exe	86

C:\Users\Admin\AppData\Local\Temp\1198722d28c836c4436d5920b08ccdf7723dd9bc2172ade53ab8a6145d3cf949N.exe
"C:\Users\Admin\AppData\Local\Temp\1198722d28c836c4436d5920b08ccdf7723dd9bc2172ade53ab8a6145d3cf949N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 396
  2⤵
  - Program crash
  PID:776
- C:\Users\Admin\AppData\Local\Temp\1198722d28c836c4436d5920b08ccdf7723dd9bc2172ade53ab8a6145d3cf949N.exe
  C:\Users\Admin\AppData\Local\Temp\1198722d28c836c4436d5920b08ccdf7723dd9bc2172ade53ab8a6145d3cf949N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 364
    3⤵
    - Program crash
    PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4388 -ip 4388
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 720 -ip 720
1⤵
PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1198722d28c836c4436d5920b08ccdf7723dd9bc2172ade53ab8a6145d3cf949N.exe

Filesize
448KB

MD5
aea79446458b4f2ba1bfe6bda1f8b584

SHA1
0c511e5848481141c339246486cdca277ace279b

SHA256
8992ab44f76df937c7a35e7e80d5253eb3e09a693413ec9621fc2d041b67ecb5

SHA512
d18c26f7402a9eb028e1f7d197c396badb1bd76c4e0b221c21b6f41790f81850d1b90f99e015f6f45e475681f83b58f91f37b2cb9e8854eb5e89dd13530d5010

Download Submit
memory/720-6-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/720-8-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/720-13-0x00000000014B0000-0x00000000014EF000-memory.dmp

Filesize
252KB

Download
memory/720-14-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4388-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4388-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download