644b08d376383fffa19d8fa60cf0dbbf5705fae34940c4ed9d52c50a04f28811

General

Target

644b08d376383fffa19d8fa60cf0dbbf5705fae34940c4ed9d52c50a04f28811N.exe
Size

53KB
MD5

004e4ef66887ced58bfb878c30803730
SHA1

ae2ce774aedff69a9dd9eab6791dcc658e7e1900
SHA256

644b08d376383fffa19d8fa60cf0dbbf5705fae34940c4ed9d52c50a04f28811
SHA512

23770719f5a80111d468f5ab98d708aacc87516598b4fbc6b08dce72736b4ed37e98d6af8e034267d55efa98b9ee22002683f18547dd340894b5ab9e95cb1353
SSDEEP

1536:aNTg8r8QJR+kGFdO7Kp3StjEMjmLM3ztDJWZsXy4JzxPMk:C+kHJJjmLM3zRJWZsXy4JN

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2592	mzqoij.exe

Loads dropped DLL 7 IoCs

pid	Process
2220	644b08d376383fffa19d8fa60cf0dbbf5705fae34940c4ed9d52c50a04f28811N.exe
2220	644b08d376383fffa19d8fa60cf0dbbf5705fae34940c4ed9d52c50a04f28811N.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2028	2220	WerFault.exe	29
2816	2592	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	644b08d376383fffa19d8fa60cf0dbbf5705fae34940c4ed9d52c50a04f28811N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mzqoij.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2220	644b08d376383fffa19d8fa60cf0dbbf5705fae34940c4ed9d52c50a04f28811N.exe
2592	mzqoij.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2592	2220	644b08d376383fffa19d8fa60cf0dbbf5705fae34940c4ed9d52c50a04f28811N.exe	30
PID 2220 wrote to memory of 2592	2220	644b08d376383fffa19d8fa60cf0dbbf5705fae34940c4ed9d52c50a04f28811N.exe	30
PID 2220 wrote to memory of 2592	2220	644b08d376383fffa19d8fa60cf0dbbf5705fae34940c4ed9d52c50a04f28811N.exe	30
PID 2220 wrote to memory of 2592	2220	644b08d376383fffa19d8fa60cf0dbbf5705fae34940c4ed9d52c50a04f28811N.exe	30
PID 2220 wrote to memory of 2028	2220	644b08d376383fffa19d8fa60cf0dbbf5705fae34940c4ed9d52c50a04f28811N.exe	31
PID 2220 wrote to memory of 2028	2220	644b08d376383fffa19d8fa60cf0dbbf5705fae34940c4ed9d52c50a04f28811N.exe	31
PID 2220 wrote to memory of 2028	2220	644b08d376383fffa19d8fa60cf0dbbf5705fae34940c4ed9d52c50a04f28811N.exe	31
PID 2220 wrote to memory of 2028	2220	644b08d376383fffa19d8fa60cf0dbbf5705fae34940c4ed9d52c50a04f28811N.exe	31
PID 2592 wrote to memory of 2816	2592	mzqoij.exe	32
PID 2592 wrote to memory of 2816	2592	mzqoij.exe	32
PID 2592 wrote to memory of 2816	2592	mzqoij.exe	32
PID 2592 wrote to memory of 2816	2592	mzqoij.exe	32

C:\Users\Admin\AppData\Local\Temp\644b08d376383fffa19d8fa60cf0dbbf5705fae34940c4ed9d52c50a04f28811N.exe
"C:\Users\Admin\AppData\Local\Temp\644b08d376383fffa19d8fa60cf0dbbf5705fae34940c4ed9d52c50a04f28811N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\mzqoij.exe
  "C:\Users\Admin\mzqoij.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 280
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 528
  2⤵
  - Program crash
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\mzqoij.exe

Filesize
53KB

MD5
76c10803ec79ad0cdb794777b1a4d01d

SHA1
c200f1e7378c519ff4c56a3a51deca474055b503

SHA256
657263115017c373196ac949540a1f903ff4304917bfadb52b7cf710ebb56353

SHA512
9c025b120223bf8a160bbe0bb1bb6546f7f97ac9cd625ec2d7c6024aadb22049949b2fdccf9e208d99c26b08065326dd981b5c1960abcae69ea30cc279b99571

Download Submit
memory/2220-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2220-13-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/2220-14-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/2220-25-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2220-26-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/2220-27-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/2592-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2592-28-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing