2940a3d00fbeae0623c4f6c3231ec29b10b3d3043a2ccbc6f05fb92220de58a8

Analysis

max time kernel
98s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

140c2a66e6feca66598f349391e11813c91e918bad57de7422e0531ab42a6117.exe
Size

192KB
MD5

a43025a136bcc6af701054ed51ad8adb
SHA1

547032f4afb1cb3b6970ba5a64234d20e815a3a4
SHA256

140c2a66e6feca66598f349391e11813c91e918bad57de7422e0531ab42a6117
SHA512

e6c9bd2cf29cffb3d318664a9525d6d56767d4ec482b6f38861b1f01d222a73228f4e70bc12b45f700eb37513a32d64616edf09e8b4df349e9a0aa36c7fe3f81
SSDEEP

3072:l1NjcVVnLpPuqbJzk9y/Nsso8vTUa6wySNSCV1sPvhDbQh2k4hPwn0gSimGZ6P5u:HNeZFhbEaeSN91sP9baS+npwIn2nyR7

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

rxyzg.exe

pid	Process
4524	rxyzg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2492	4524	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

140c2a66e6feca66598f349391e11813c91e918bad57de7422e0531ab42a6117.exerxyzg.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	140c2a66e6feca66598f349391e11813c91e918bad57de7422e0531ab42a6117.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rxyzg.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

140c2a66e6feca66598f349391e11813c91e918bad57de7422e0531ab42a6117.exerxyzg.exe

description	pid	Process	procid_target
PID 3556 wrote to memory of 4524	3556	140c2a66e6feca66598f349391e11813c91e918bad57de7422e0531ab42a6117.exe	82
PID 3556 wrote to memory of 4524	3556	140c2a66e6feca66598f349391e11813c91e918bad57de7422e0531ab42a6117.exe	82
PID 3556 wrote to memory of 4524	3556	140c2a66e6feca66598f349391e11813c91e918bad57de7422e0531ab42a6117.exe	82
PID 4524 wrote to memory of 4888	4524	rxyzg.exe	83
PID 4524 wrote to memory of 4888	4524	rxyzg.exe	83
PID 4524 wrote to memory of 4888	4524	rxyzg.exe	83

C:\Users\Admin\AppData\Local\Temp\140c2a66e6feca66598f349391e11813c91e918bad57de7422e0531ab42a6117.exe
"C:\Users\Admin\AppData\Local\Temp\140c2a66e6feca66598f349391e11813c91e918bad57de7422e0531ab42a6117.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Users\Admin\AppData\Local\Temp\rxyzg.exe
  C:\Users\Admin\AppData\Local\Temp\rxyzg.exe C:\Users\Admin\AppData\Local\Temp\mfqbqbhcqx
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\rxyzg.exe
    C:\Users\Admin\AppData\Local\Temp\rxyzg.exe C:\Users\Admin\AppData\Local\Temp\mfqbqbhcqx
    3⤵
    PID:4888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 544
    3⤵
    - Program crash
    PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4524 -ip 4524
1⤵
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8u7tt4ey32b

Filesize
163KB

MD5
4b647b9910011c7dcb6efcdf177f4c4a

SHA1
cf59b74c1bec81062866e3327bf057fdbadd8eab

SHA256
09bdf441425a65d105404065b4feaa4c231a7d5ea21bf9b3b832c30ed6ee053e

SHA512
5fece077b9fb7b1fe1646e0a31a6cc5ec246dcb13229caac5838c1ef277eef4cee5ba2b2d013c37eeab7d55ba8d38c92c9684a05b63456b93104a37302c4c234

Download Submit
C:\Users\Admin\AppData\Local\Temp\mfqbqbhcqx

Filesize
4KB

MD5
2ce8643c23d1bc7f420bdde0683c28ee

SHA1
c84271354bceeededc251467eae7cab0f2c3636c

SHA256
c4c7b8ac8e31d6d252b19de0bebaf27e31e0c5c2200c9be94eaecfed81db601c

SHA512
6319803d938cd42e7f434cfdcf71f547db70d77493d3c5010cb82371d12a156704bf0e554e5d88d7bbe591cb0dd03c7812b0e159ec3e29d2117e560802eb3b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxyzg.exe

Filesize
3KB

MD5
64d3f2b2a7c95bc7051051fe34620dc3

SHA1
1a089f830583bca8aae69330a9e4946bbe03fb4f

SHA256
d1595a226a32172f214ff69b964281ef663079b6467cffa98edc6064a9f69ab6

SHA512
af6b303b98765034f886e8bc9889f829a0265bde7559b9e738ff310be6747be083c377fecc76a007d2f464907bff80c6acfc90abf7f46a1408438554a01bff7e

Download Submit
memory/4524-7-0x00000000005C0000-0x00000000005C2000-memory.dmp

Filesize
8KB

Download