86476c13befcf2dc8aeafa1fd1396ca6328cf06e503465a82136abf0a64224f7

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86476c13befcf2dc8aeafa1fd1396ca6328cf06e503465a82136abf0a64224f7N.exe
Size

53KB
MD5

1f5ba68a00f2bb6b81f9ccea205f0a80
SHA1

45b6279a1f2d205621b8bc431e48a94311468e7c
SHA256

86476c13befcf2dc8aeafa1fd1396ca6328cf06e503465a82136abf0a64224f7
SHA512

3ad31053c5c4e9d68850c70aceff6f0d2fc272ab1c018ee81d3600496ea85594c622c3d36c3546e2830eb083c2c79d3b5e72f159a1cb2fee546aa63473479282
SSDEEP

1536:GNXg8r8QlaoMd7Kp3StjEMjmLM3ztDJWZsXy4JzxPME:waoMdJJjmLM3zRJWZsXy4Jt

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2328	waeum.exe

Loads dropped DLL 7 IoCs

pid	Process
2320	86476c13befcf2dc8aeafa1fd1396ca6328cf06e503465a82136abf0a64224f7N.exe
2320	86476c13befcf2dc8aeafa1fd1396ca6328cf06e503465a82136abf0a64224f7N.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2672	2320	WerFault.exe	28
2760	2328	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	waeum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86476c13befcf2dc8aeafa1fd1396ca6328cf06e503465a82136abf0a64224f7N.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2320	86476c13befcf2dc8aeafa1fd1396ca6328cf06e503465a82136abf0a64224f7N.exe
2328	waeum.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2328	2320	86476c13befcf2dc8aeafa1fd1396ca6328cf06e503465a82136abf0a64224f7N.exe	29
PID 2320 wrote to memory of 2328	2320	86476c13befcf2dc8aeafa1fd1396ca6328cf06e503465a82136abf0a64224f7N.exe	29
PID 2320 wrote to memory of 2328	2320	86476c13befcf2dc8aeafa1fd1396ca6328cf06e503465a82136abf0a64224f7N.exe	29
PID 2320 wrote to memory of 2328	2320	86476c13befcf2dc8aeafa1fd1396ca6328cf06e503465a82136abf0a64224f7N.exe	29
PID 2320 wrote to memory of 2672	2320	86476c13befcf2dc8aeafa1fd1396ca6328cf06e503465a82136abf0a64224f7N.exe	30
PID 2320 wrote to memory of 2672	2320	86476c13befcf2dc8aeafa1fd1396ca6328cf06e503465a82136abf0a64224f7N.exe	30
PID 2320 wrote to memory of 2672	2320	86476c13befcf2dc8aeafa1fd1396ca6328cf06e503465a82136abf0a64224f7N.exe	30
PID 2320 wrote to memory of 2672	2320	86476c13befcf2dc8aeafa1fd1396ca6328cf06e503465a82136abf0a64224f7N.exe	30
PID 2328 wrote to memory of 2760	2328	waeum.exe	31
PID 2328 wrote to memory of 2760	2328	waeum.exe	31
PID 2328 wrote to memory of 2760	2328	waeum.exe	31
PID 2328 wrote to memory of 2760	2328	waeum.exe	31

C:\Users\Admin\AppData\Local\Temp\86476c13befcf2dc8aeafa1fd1396ca6328cf06e503465a82136abf0a64224f7N.exe
"C:\Users\Admin\AppData\Local\Temp\86476c13befcf2dc8aeafa1fd1396ca6328cf06e503465a82136abf0a64224f7N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\waeum.exe
  "C:\Users\Admin\waeum.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 280
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 468
  2⤵
  - Program crash
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\waeum.exe

Filesize
53KB

MD5
a7e5fb02dee628754b7d6da94dd8d1b0

SHA1
de03b8bd3316d47926ea103c2fa69b4042d11ad9

SHA256
42b22fb3f74f68fb6eb570d4ec7877b9bd303f7bd46147920df1d8400662516c

SHA512
e9b21620e00f72b75616722049f0f11563887ff12901be113b2e7f52477d0b159c1cf80493b3557fbe20ce5509ff83d85e85ec90838c6ee0f805a05952d4dc48

Download Submit
memory/2320-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2320-9-0x0000000003880000-0x0000000003892000-memory.dmp

Filesize
72KB

Download
memory/2320-24-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2328-23-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download