5e3f13637b7d78f95b5df7978760a842f9d035f0d0dc32325a3f440f104af56c

Analysis

max time kernel
111s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e3f13637b7d78f95b5df7978760a842f9d035f0d0dc32325a3f440f104af56cN.exe
Size

4.0MB
MD5

a2ad73b993c16e51da2e348fea493d20
SHA1

1485821b511484d78143e59de31952e3ebf46f6b
SHA256

5e3f13637b7d78f95b5df7978760a842f9d035f0d0dc32325a3f440f104af56c
SHA512

4d5e0c80fa1543e6af931b7f2a09aa836b3caa252c4023e14c8f37ec64fd5bf12af92764f96d65d0116c80e9151f231776f0c98c81977a01a9c68ee8b2f8c7b5
SSDEEP

98304:hytuO3no55zLf9SpRIA2kqSDQVwe2Zfj2nAmzcQE0EITf:QtuO455P9ovq2He2mQ1ITf

Score

3^/10

discovery

Malware Config

Signatures

Program crash 11 IoCs

pid	pid_target	Process	procid_target
4824	1308	WerFault.exe	81
5112	1308	WerFault.exe	81
3680	1308	WerFault.exe	81
4668	1308	WerFault.exe	81
956	1308	WerFault.exe	81
1476	1308	WerFault.exe	81
1780	1308	WerFault.exe	81
3580	1308	WerFault.exe	81
2596	1308	WerFault.exe	81
4788	1308	WerFault.exe	81
4332	1308	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e3f13637b7d78f95b5df7978760a842f9d035f0d0dc32325a3f440f104af56cN.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1308	5e3f13637b7d78f95b5df7978760a842f9d035f0d0dc32325a3f440f104af56cN.exe
1308	5e3f13637b7d78f95b5df7978760a842f9d035f0d0dc32325a3f440f104af56cN.exe

C:\Users\Admin\AppData\Local\Temp\5e3f13637b7d78f95b5df7978760a842f9d035f0d0dc32325a3f440f104af56cN.exe
"C:\Users\Admin\AppData\Local\Temp\5e3f13637b7d78f95b5df7978760a842f9d035f0d0dc32325a3f440f104af56cN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 936
  2⤵
  - Program crash
  PID:4824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 948
  2⤵
  - Program crash
  PID:5112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1012
  2⤵
  - Program crash
  PID:3680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1128
  2⤵
  - Program crash
  PID:4668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1156
  2⤵
  - Program crash
  PID:956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1184
  2⤵
  - Program crash
  PID:1476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1220
  2⤵
  - Program crash
  PID:1780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1256
  2⤵
  - Program crash
  PID:3580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1200
  2⤵
  - Program crash
  PID:2596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1056
  2⤵
  - Program crash
  PID:4788
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1416
  2⤵
  - Program crash
  PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1308 -ip 1308
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1308 -ip 1308
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1308 -ip 1308
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1308 -ip 1308
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1308 -ip 1308
1⤵
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1308 -ip 1308
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1308 -ip 1308
1⤵
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1308 -ip 1308
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1308 -ip 1308
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1308 -ip 1308
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1308 -ip 1308
1⤵
PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1308-0-0x0000000000400000-0x0000000000C10000-memory.dmp

Filesize
8.1MB

Download
memory/1308-1-0x0000000000400000-0x0000000000C10000-memory.dmp

Filesize
8.1MB

Download
memory/1308-2-0x0000000000400000-0x000000000090A000-memory.dmp

Filesize
5.0MB

Download
memory/1308-3-0x0000000000400000-0x0000000000C10000-memory.dmp

Filesize
8.1MB

Download
memory/1308-4-0x0000000000400000-0x000000000090A000-memory.dmp

Filesize
5.0MB

Download
memory/1308-5-0x0000000000400000-0x0000000000C10000-memory.dmp

Filesize
8.1MB

Download
memory/1308-6-0x0000000000400000-0x0000000000C10000-memory.dmp

Filesize
8.1MB

Download
memory/1308-7-0x0000000000400000-0x0000000000C10000-memory.dmp

Filesize
8.1MB

Download