1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96

Analysis

max time kernel
92s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 19:17 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe
Size

205KB
MD5

f4b030d8f06fcdeab6dbc5a8d90ea949
SHA1

c433438398b9dc5644dc5244255b592098069d8e
SHA256

1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96
SHA512

7de46b5fa25dac43206df4b468cb3773828e46d3c38945d0eae49735812ac8e4974d53093f59333cd7f4d689887bf105df0a53d0c76a80b131a77b0137de2702
SSDEEP

3072:0IXqry+d3DxQcv7zhWPk65Ui8BhmqjNj8DCUNUO42YwHdKpUUzE0mu87Gw:dQCcv7Mk6bgL5jMCeU3dRCUI0mu8

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4164	1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sshnas21.dll	1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2908	4164	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4164	1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe

C:\Users\Admin\AppData\Local\Temp\1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe
"C:\Users\Admin\AppData\Local\Temp\1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 716
  2⤵
  - Program crash
  PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4164 -ip 4164
1⤵
PID:1300

Network

DNS

doubleclick.com

1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe

Remote address:

8.8.8.8:53

Request

doubleclick.com

IN A

Response

doubleclick.com

IN A

216.58.201.110
DNS

tudou.com

1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe

Remote address:

8.8.8.8:53

Request

tudou.com

IN A

Response

tudou.com

IN A

106.11.43.246
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

22.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.160.190.20.in-addr.arpa

IN PTR

Response
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

108.11.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

108.11.19.2.in-addr.arpa

IN PTR

Response

108.11.19.2.in-addr.arpa

IN PTR

a2-19-11-108deploystaticakamaitechnologiescom
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom

No results found

8.8.8.8:53

doubleclick.com

dns

1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe

61 B
77 B
1
1

DNS Request

doubleclick.com

DNS Response

216.58.201.110
8.8.8.8:53

tudou.com

dns

1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe

55 B
71 B
1
1

DNS Request

tudou.com

DNS Response

106.11.43.246
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

22.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.160.190.20.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

108.11.19.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

108.11.19.2.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sshnas21.dll

Filesize
168KB

MD5
b503f151c4fe95f2f2ffcaf97f746dd1

SHA1
523db101958241c31c2ef9c6b069724984878852

SHA256
b4e71f48a336443a64ba38079714b607072e10f81365793b5d710ed65cb44564

SHA512
ee0abce32c2d1a08eec76e0b0c44f358881e08576802e65df3252c6008a24791ba9acf2af9d3ccf9b74482c575afbdcf5510ee4860597d01e5f4fc841b00e489

Download Submit
memory/4164-1-0x0000000002120000-0x0000000002145000-memory.dmp

Filesize
148KB

Download
memory/4164-2-0x0000000000404000-0x0000000000405000-memory.dmp

Filesize
4KB

Download
memory/4164-9-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4164-10-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.