43ee56d9325525f211d0b7176e842d8feec0b6a64a7c0ac1bcbc5ed246f53251

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 14:40

Target

BlitzedGrabberV12-main/resources/UltraEmbeddable.exe
Size

465KB
MD5

b6b77d0798d39d7fadd69784c4e47c30
SHA1

967af699bd9e0f2f20b0743323e5cdd6c3767ea2
SHA256

e5c9880090d757207a5cd373f5e1d20c42d7486c742b3a30a2ee741a7aef5ef8
SHA512

5140dcebbeb53c8e74364de824d78d6c5fddcfa08f0ac38ff0d898e71bf4f8630f3b529571a7f64be00981e83af7f85a9b6665aedfaf7f0720995fae8a8e28d6
SSDEEP

12288:MXUNgkAIMflOWTUpGY5ObqRKd6G2nHVxxd/2KO:QUNdJMNOWTUQveYd6fHnxsKO

Score

3^/10

discovery

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1324 2380 WerFault.exe UltraEmbeddable.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

UltraEmbeddable.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UltraEmbeddable.exe

pid	pid_target	process	target process
1324	2380	WerFault.exe	UltraEmbeddable.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UltraEmbeddable.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

UltraEmbeddable.exe

description	pid	process	target process
PID 2380 wrote to memory of 1324	2380	UltraEmbeddable.exe	WerFault.exe
PID 2380 wrote to memory of 1324	2380	UltraEmbeddable.exe	WerFault.exe
PID 2380 wrote to memory of 1324	2380	UltraEmbeddable.exe	WerFault.exe
PID 2380 wrote to memory of 1324	2380	UltraEmbeddable.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\resources\UltraEmbeddable.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\resources\UltraEmbeddable.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 556
  2⤵
  - Program crash
  PID:1324

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2380-0-0x00000000740DE000-0x00000000740DF000-memory.dmp

Filesize
4KB

Download
memory/2380-1-0x0000000000080000-0x00000000000FA000-memory.dmp

Filesize
488KB

Download
memory/2380-2-0x00000000740DE000-0x00000000740DF000-memory.dmp

Filesize
4KB

Download