479be1c9b73479d5bc516632bac199e8765a21d4a21d4f64ba41222a68f9da3e

Analysis

max time kernel
96s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 07:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

479be1c9b73479d5bc516632bac199e8765a21d4a21d4f64ba41222a68f9da3eN.exe
Size

202KB
MD5

fc7c15464c5744541877199dd169cea0
SHA1

565720881031692c3225e2d23ba6073bd7240ee7
SHA256

479be1c9b73479d5bc516632bac199e8765a21d4a21d4f64ba41222a68f9da3e
SHA512

5c31372de84b21e5a666b273be50b5e5154fd3a18c7bb923067b89055053d605b8d68484c7e482b7048a78056e63bc0b25cb6fa731126a9a33fca8f923c223e0
SSDEEP

3072:p8JDg+MjmpYKeA3A+Jfe7hSNu6MfMyJzE5bk7HgcDobaBZqDy2zCnIqiPVvzP:p1c++2WOE5w7AcCaBE5AIqQrP

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1424	479be1c9b73479d5bc516632bac199e8765a21d4a21d4f64ba41222a68f9da3eN.exe

Executes dropped EXE 1 IoCs

pid	Process
1424	479be1c9b73479d5bc516632bac199e8765a21d4a21d4f64ba41222a68f9da3eN.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4876	1096	WerFault.exe	81
3264	1424	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	479be1c9b73479d5bc516632bac199e8765a21d4a21d4f64ba41222a68f9da3eN.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1096	479be1c9b73479d5bc516632bac199e8765a21d4a21d4f64ba41222a68f9da3eN.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1424	479be1c9b73479d5bc516632bac199e8765a21d4a21d4f64ba41222a68f9da3eN.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1424	1096	479be1c9b73479d5bc516632bac199e8765a21d4a21d4f64ba41222a68f9da3eN.exe	86
PID 1096 wrote to memory of 1424	1096	479be1c9b73479d5bc516632bac199e8765a21d4a21d4f64ba41222a68f9da3eN.exe	86
PID 1096 wrote to memory of 1424	1096	479be1c9b73479d5bc516632bac199e8765a21d4a21d4f64ba41222a68f9da3eN.exe	86

C:\Users\Admin\AppData\Local\Temp\479be1c9b73479d5bc516632bac199e8765a21d4a21d4f64ba41222a68f9da3eN.exe
"C:\Users\Admin\AppData\Local\Temp\479be1c9b73479d5bc516632bac199e8765a21d4a21d4f64ba41222a68f9da3eN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 396
  2⤵
  - Program crash
  PID:4876
- C:\Users\Admin\AppData\Local\Temp\479be1c9b73479d5bc516632bac199e8765a21d4a21d4f64ba41222a68f9da3eN.exe
  C:\Users\Admin\AppData\Local\Temp\479be1c9b73479d5bc516632bac199e8765a21d4a21d4f64ba41222a68f9da3eN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 368
    3⤵
    - Program crash
    PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1096 -ip 1096
1⤵
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1424 -ip 1424
1⤵
PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\479be1c9b73479d5bc516632bac199e8765a21d4a21d4f64ba41222a68f9da3eN.exe

Filesize
202KB

MD5
3f82d035b5483c70e105b5f90bb39d1a

SHA1
c30e37e16ba3b525a1e312a99e381c87d20bc57a

SHA256
8ba21ebd16a8a67513f3390716e8f4d67ec4c3e212fe44833ae8e06f7e670152

SHA512
db2f6d01b9a38fca010a280b9e100a09b923bcbd2816cc8357db17e9c013b4005227fb5acfa4abd2fa40bcfb4cf8ec8345f01a4c58a0bd177eb17bf02891afed

Download Submit
memory/1096-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1096-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1424-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1424-8-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1424-13-0x0000000001480000-0x00000000014BE000-memory.dmp

Filesize
248KB

Download
memory/1424-14-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download