5d91eb7ffb5d0178703320e8cc53d18c04d9a67867fed2782b1fbed50296a501

Analysis

max time kernel
92s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d91eb7ffb5d0178703320e8cc53d18c04d9a67867fed2782b1fbed50296a501N.exe
Size

268KB
MD5

4bd6c7ffbcab4397aeda0922ed8b06b0
SHA1

83f8ab34ab7d688c069e99e6c3597cfc08cc0218
SHA256

5d91eb7ffb5d0178703320e8cc53d18c04d9a67867fed2782b1fbed50296a501
SHA512

93afaa6dafc6333ea3d6546d078324791bee1552cc644e4ed4d7820031e40861433bab272dbd73709b61cb449254f044ae1404ffbe8430f0f897fc2b95fc9054
SSDEEP

6144:No2zsmlKd2+LMxaXQeNZcDq0tQo5Fiig7:2dml2DMxaXQUOuEK17

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2560	5d91eb7ffb5d0178703320e8cc53d18c04d9a67867fed2782b1fbed50296a501N.exe

Executes dropped EXE 1 IoCs

pid	Process
2560	5d91eb7ffb5d0178703320e8cc53d18c04d9a67867fed2782b1fbed50296a501N.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1040	2516	WerFault.exe	81
4012	2560	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d91eb7ffb5d0178703320e8cc53d18c04d9a67867fed2782b1fbed50296a501N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2516	5d91eb7ffb5d0178703320e8cc53d18c04d9a67867fed2782b1fbed50296a501N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2560	5d91eb7ffb5d0178703320e8cc53d18c04d9a67867fed2782b1fbed50296a501N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2560	2516	5d91eb7ffb5d0178703320e8cc53d18c04d9a67867fed2782b1fbed50296a501N.exe	86
PID 2516 wrote to memory of 2560	2516	5d91eb7ffb5d0178703320e8cc53d18c04d9a67867fed2782b1fbed50296a501N.exe	86
PID 2516 wrote to memory of 2560	2516	5d91eb7ffb5d0178703320e8cc53d18c04d9a67867fed2782b1fbed50296a501N.exe	86

C:\Users\Admin\AppData\Local\Temp\5d91eb7ffb5d0178703320e8cc53d18c04d9a67867fed2782b1fbed50296a501N.exe
"C:\Users\Admin\AppData\Local\Temp\5d91eb7ffb5d0178703320e8cc53d18c04d9a67867fed2782b1fbed50296a501N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 396
  2⤵
  - Program crash
  PID:1040
- C:\Users\Admin\AppData\Local\Temp\5d91eb7ffb5d0178703320e8cc53d18c04d9a67867fed2782b1fbed50296a501N.exe
  C:\Users\Admin\AppData\Local\Temp\5d91eb7ffb5d0178703320e8cc53d18c04d9a67867fed2782b1fbed50296a501N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 368
    3⤵
    - Program crash
    PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2516 -ip 2516
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2560 -ip 2560
1⤵
PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5d91eb7ffb5d0178703320e8cc53d18c04d9a67867fed2782b1fbed50296a501N.exe

Filesize
268KB

MD5
3bd642cc8d695476650c12b2106488e6

SHA1
4eb1e7836659bc6256baba1cb4dec44baaf179d8

SHA256
5b938876c672ce0e2be9e25a359052720c4621ad9feeb05ab2f93a1e65bcf177

SHA512
8226e0dba7e25029fb371b0ec8c7a622d5eca66593e1e3ac6b1ccb739c949d15a5d3074fbd705d1bdf9f4213ef2197c86ea884b0c52c98329e41cc3137c683ef

Download Submit
memory/2516-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2516-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2560-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2560-9-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2560-14-0x0000000003D70000-0x0000000003DB3000-memory.dmp

Filesize
268KB

Download
memory/2560-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download