916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecde

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe
Size

307KB
MD5

28f2c3e63f1fd1357d2cfe72869b53c0
SHA1

173d8ff1943f864ea06ef27921ed0e5e2216666f
SHA256

916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecde
SHA512

c1fe8d6e948521b9d30e4275031b1ff2a2ffb4ff5bd1b0214e631cc4efe3e2613d3edd27c437329edce64f09c35721cc132604c9c2631f2c0269c7ad7a9d9994
SSDEEP

6144:RNeZbN827N5wptBh8EF6+ofNxn1g50EG8Y0lWNe7I+4auF9PX:RNONvJ+ptBCU6++gr86I+69PX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2764	xuhsbsshb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1324	2764	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xuhsbsshb.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 2764	1116	916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe	81
PID 1116 wrote to memory of 2764	1116	916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe	81
PID 1116 wrote to memory of 2764	1116	916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe	81
PID 2764 wrote to memory of 3012	2764	xuhsbsshb.exe	82
PID 2764 wrote to memory of 3012	2764	xuhsbsshb.exe	82
PID 2764 wrote to memory of 3012	2764	xuhsbsshb.exe	82
PID 2764 wrote to memory of 3012	2764	xuhsbsshb.exe	82

C:\Users\Admin\AppData\Local\Temp\916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe
"C:\Users\Admin\AppData\Local\Temp\916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Local\Temp\xuhsbsshb.exe
  C:\Users\Admin\AppData\Local\Temp\xuhsbsshb.exe C:\Users\Admin\AppData\Local\Temp\ukilojtrz
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\xuhsbsshb.exe
    C:\Users\Admin\AppData\Local\Temp\xuhsbsshb.exe C:\Users\Admin\AppData\Local\Temp\ukilojtrz
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 520
    3⤵
    - Program crash
    PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2764 -ip 2764
1⤵
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0j9qjdm913vb7j0eyxt

Filesize
213KB

MD5
46ff5a0f2ac2424921fd161e8497dd6a

SHA1
0086ed96bc8f03dd77eba02e5669fe1c54f90d79

SHA256
e8ccd88569cf6f25118135c988a15b8deab2bb3789537182219c41a33b08654b

SHA512
dad931f448fa198e666ea3d39d7941b0a385f64c67a2a1a5533ae6f3a0b199b3cd47dd622d3029b7e338a1f2ede917db58b3d9eb481474e5e47566775c3756b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukilojtrz

Filesize
4KB

MD5
94cdc5fa8c30e1c1d361a4d7deb9b3ca

SHA1
c1c7316895f5aa5cd5b51ef876056dbcb0814632

SHA256
e6f2622adb08b89a002a501a6c6615291eec326f6233a57152545fa3afa2a856

SHA512
dc7edda3e1f9e4947c9da0f6f63ffe46865d2f9225e2cca36c2292b8710610da2417e1067fde99fffd110012965fe7eda75fc7f8e662edb3e4c0a8c387ef8d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuhsbsshb.exe

Filesize
4KB

MD5
daa39e25fb5b25bd1e42408efdac928f

SHA1
665426ddf94268322d180128a92ddb2f45b1d3b8

SHA256
7e5a0ec65f4c96a6b8de07c341282da8777fc45f4976e415f1738fa165d0a272

SHA512
42cae6cc93a923965a65b70c68a46e63246d5af0175cbf7e4fc33ecf8d5bd2ffc1395c4237411292136daf36ebf132567cfa2f6dc2a7ec7d33d482cee2cb4903

Download Submit
memory/2764-8-0x0000000003120000-0x0000000003122000-memory.dmp

Filesize
8KB

Download