149aa5d2591be26a7f66ec6c6443e94301efc3f1c0dad83c6dc34e49b22ee325

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

149aa5d2591be26a7f66ec6c6443e94301efc3f1c0dad83c6dc34e49b22ee325N.exe
Size

716KB
MD5

5bbc4c13ea38c58d5c3c2bc8f558f800
SHA1

65075202a7a44b7d2735ad44869d49f59373e615
SHA256

149aa5d2591be26a7f66ec6c6443e94301efc3f1c0dad83c6dc34e49b22ee325
SHA512

cff4c12ee90eef55ab5f75e3f15c7f5f78ef44706bc3bffc05afcfca45bba39b66aa5a6602b0aef036d62e5eb4211fae434df3f76f09ab84cdc505b5950e0bcd
SSDEEP

12288:lXcqhWkdzkMWzcw9OsOSsyRvy1u7kqtf2ssp2JcPpHL4JiV8qGV3wGa7Y8vh4HZI:lXc/SzGzc8OsO9yRvlD2ssp2eRHksiG5

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2084	4900	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	149aa5d2591be26a7f66ec6c6443e94301efc3f1c0dad83c6dc34e49b22ee325N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4052	schtasks.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4900	149aa5d2591be26a7f66ec6c6443e94301efc3f1c0dad83c6dc34e49b22ee325N.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 4360	4900	149aa5d2591be26a7f66ec6c6443e94301efc3f1c0dad83c6dc34e49b22ee325N.exe	82
PID 4900 wrote to memory of 4360	4900	149aa5d2591be26a7f66ec6c6443e94301efc3f1c0dad83c6dc34e49b22ee325N.exe	82
PID 4900 wrote to memory of 4360	4900	149aa5d2591be26a7f66ec6c6443e94301efc3f1c0dad83c6dc34e49b22ee325N.exe	82
PID 4900 wrote to memory of 4492	4900	149aa5d2591be26a7f66ec6c6443e94301efc3f1c0dad83c6dc34e49b22ee325N.exe	83
PID 4900 wrote to memory of 4492	4900	149aa5d2591be26a7f66ec6c6443e94301efc3f1c0dad83c6dc34e49b22ee325N.exe	83
PID 4900 wrote to memory of 4492	4900	149aa5d2591be26a7f66ec6c6443e94301efc3f1c0dad83c6dc34e49b22ee325N.exe	83
PID 4360 wrote to memory of 4052	4360	cmd.exe	87
PID 4360 wrote to memory of 4052	4360	cmd.exe	87
PID 4360 wrote to memory of 4052	4360	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\149aa5d2591be26a7f66ec6c6443e94301efc3f1c0dad83c6dc34e49b22ee325N.exe
"C:\Users\Admin\AppData\Local\Temp\149aa5d2591be26a7f66ec6c6443e94301efc3f1c0dad83c6dc34e49b22ee325N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\e8fb1ebd850140caa97509d1d746dfb1.xml"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\e8fb1ebd850140caa97509d1d746dfb1.xml"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4052
- C:\Users\Admin\AppData\Local\Temp\149aa5d2591be26a7f66ec6c6443e94301efc3f1c0dad83c6dc34e49b22ee325N.exe
  "C:\Users\Admin\AppData\Local\Temp\149aa5d2591be26a7f66ec6c6443e94301efc3f1c0dad83c6dc34e49b22ee325N.exe"
  2⤵
  PID:4492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 628
  2⤵
  - Program crash
  PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4900 -ip 4900
1⤵
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e8fb1ebd850140caa97509d1d746dfb1.xml

Filesize
1KB

MD5
23ad61ceccefc116b01e840065f13f66

SHA1
69b73f8a036e6aad34b9ba0fa4361e261141f225

SHA256
2c8fea3d677a595182607a02b21a206efcc468e13b01c29ba8ce66ff2ae40706

SHA512
df2c32e0c50234b21015b6b2ef2ca66e2a6f12472d03faadadc1884a810c34dff494de228fb705175f915174fe87c8abef9c09044f6ab72ba0eb73450ce69ee8

Download Submit
memory/4900-0-0x0000000000E20000-0x0000000000ED6000-memory.dmp

Filesize
728KB

Download
memory/4900-2-0x0000000000E44000-0x0000000000E4A000-memory.dmp

Filesize
24KB

Download
memory/4900-5-0x0000000000E44000-0x0000000000E4A000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads