7d40964cc08a2a393d35334c9e2a161d858584b8e0ad5cd8cdc2807ff2e07620

Analysis

max time kernel
110s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d40964cc08a2a393d35334c9e2a161d858584b8e0ad5cd8cdc2807ff2e07620N.exe
Size

5.6MB
MD5

3f324634f614e1cc139eb25f5df478a0
SHA1

864cb782cb0f02446c058ac3891cace56baaca59
SHA256

7d40964cc08a2a393d35334c9e2a161d858584b8e0ad5cd8cdc2807ff2e07620
SHA512

bc6bd524fd28ed47a6d8b6dfe5e817bd79b4c7c2d9b20bec1bf2017f5668914dba0025f77d114c35957cd32857f909123f2723cd2d9a7f6455dca808653eab3d
SSDEEP

98304:kDZNdWK8wADYcS6Cpyu/Y2OQuuNH9NM2W0DEhczu0K6e3uCIDTHg6Y7sJbNZmNLT:kDNntAEMu/zOQu21rEhczgdtn

Score

3^/10

discovery

Malware Config

Signatures

Program crash 11 IoCs

pid	pid_target	Process	procid_target
3808	2588	WerFault.exe	81
3584	2588	WerFault.exe	81
4496	2588	WerFault.exe	81
4992	2588	WerFault.exe	81
2232	2588	WerFault.exe	81
2972	2588	WerFault.exe	81
2720	2588	WerFault.exe	81
4596	2588	WerFault.exe	81
2420	2588	WerFault.exe	81
4576	2588	WerFault.exe	81
1436	2588	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d40964cc08a2a393d35334c9e2a161d858584b8e0ad5cd8cdc2807ff2e07620N.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2588	7d40964cc08a2a393d35334c9e2a161d858584b8e0ad5cd8cdc2807ff2e07620N.exe
2588	7d40964cc08a2a393d35334c9e2a161d858584b8e0ad5cd8cdc2807ff2e07620N.exe

C:\Users\Admin\AppData\Local\Temp\7d40964cc08a2a393d35334c9e2a161d858584b8e0ad5cd8cdc2807ff2e07620N.exe
"C:\Users\Admin\AppData\Local\Temp\7d40964cc08a2a393d35334c9e2a161d858584b8e0ad5cd8cdc2807ff2e07620N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 852
  2⤵
  - Program crash
  PID:3808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 868
  2⤵
  - Program crash
  PID:3584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 872
  2⤵
  - Program crash
  PID:4496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 1052
  2⤵
  - Program crash
  PID:4992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 1092
  2⤵
  - Program crash
  PID:2232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 1092
  2⤵
  - Program crash
  PID:2972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 1104
  2⤵
  - Program crash
  PID:2720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 1120
  2⤵
  - Program crash
  PID:4596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 1136
  2⤵
  - Program crash
  PID:2420
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 968
  2⤵
  - Program crash
  PID:4576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 856
  2⤵
  - Program crash
  PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2588 -ip 2588
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2588 -ip 2588
1⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2588 -ip 2588
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2588 -ip 2588
1⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2588 -ip 2588
1⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2588 -ip 2588
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2588 -ip 2588
1⤵
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2588 -ip 2588
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2588 -ip 2588
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2588 -ip 2588
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2588 -ip 2588
1⤵
PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2588-0-0x0000000000400000-0x0000000000D97000-memory.dmp

Filesize
9.6MB

Download
memory/2588-1-0x0000000000400000-0x0000000000D97000-memory.dmp

Filesize
9.6MB

Download
memory/2588-2-0x0000000000400000-0x000000000090A000-memory.dmp

Filesize
5.0MB

Download
memory/2588-3-0x0000000000400000-0x0000000000D97000-memory.dmp

Filesize
9.6MB

Download
memory/2588-4-0x0000000000400000-0x0000000000D97000-memory.dmp

Filesize
9.6MB

Download
memory/2588-6-0x0000000000400000-0x000000000090A000-memory.dmp

Filesize
5.0MB

Download
memory/2588-5-0x0000000000400000-0x0000000000D97000-memory.dmp

Filesize
9.6MB

Download
memory/2588-7-0x0000000000400000-0x0000000000D97000-memory.dmp

Filesize
9.6MB

Download
memory/2588-8-0x0000000000400000-0x0000000000D97000-memory.dmp

Filesize
9.6MB

Download