e9f7cfd8b9d74705231e5f33e572447688fb8973a26db1c8b608872117ee3e18

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9f7cfd8b9d74705231e5f33e572447688fb8973a26db1c8b608872117ee3e18N.exe
Size

425KB
MD5

9e3e2b8f340761fd7f3630a5d6b1e340
SHA1

412eb58ce7d49774bc23ab59a29609ac934b3f88
SHA256

e9f7cfd8b9d74705231e5f33e572447688fb8973a26db1c8b608872117ee3e18
SHA512

85dcb2079a0906fbb6f9dbef556638e55ce4f619d4830083f2de558c7f5f9ef4c61c57f47f31712f4f21bf2487fcf604889425da3c7872686a53cb2b43df4eac
SSDEEP

12288:oNe9Z6Vh5xgJbZ3HxORkEE8T+BFd5kYhbua2TbxKzQkYI:oNOZ663HxqkEYBhk2UbaQkYI

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2380	cpjkhm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1448	2380	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cpjkhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9f7cfd8b9d74705231e5f33e572447688fb8973a26db1c8b608872117ee3e18N.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2380	1640	e9f7cfd8b9d74705231e5f33e572447688fb8973a26db1c8b608872117ee3e18N.exe	82
PID 1640 wrote to memory of 2380	1640	e9f7cfd8b9d74705231e5f33e572447688fb8973a26db1c8b608872117ee3e18N.exe	82
PID 1640 wrote to memory of 2380	1640	e9f7cfd8b9d74705231e5f33e572447688fb8973a26db1c8b608872117ee3e18N.exe	82
PID 2380 wrote to memory of 1044	2380	cpjkhm.exe	83
PID 2380 wrote to memory of 1044	2380	cpjkhm.exe	83
PID 2380 wrote to memory of 1044	2380	cpjkhm.exe	83

C:\Users\Admin\AppData\Local\Temp\e9f7cfd8b9d74705231e5f33e572447688fb8973a26db1c8b608872117ee3e18N.exe
"C:\Users\Admin\AppData\Local\Temp\e9f7cfd8b9d74705231e5f33e572447688fb8973a26db1c8b608872117ee3e18N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\cpjkhm.exe
  C:\Users\Admin\AppData\Local\Temp\cpjkhm.exe C:\Users\Admin\AppData\Local\Temp\rsrpwoa
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Users\Admin\AppData\Local\Temp\cpjkhm.exe
    C:\Users\Admin\AppData\Local\Temp\cpjkhm.exe C:\Users\Admin\AppData\Local\Temp\rsrpwoa
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 588
    3⤵
    - Program crash
    PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2380 -ip 2380
1⤵
PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\43tamsc4ul0czb3zcwio

Filesize
164KB

MD5
443aa56a81564e582bd77f49e097ec1d

SHA1
499b8d829bd4039cdbcfbc460721a960dddbc331

SHA256
2b20bdb5ba885f7048423ba5101a8ba25572edc83b47bf9a91e4759289e7203e

SHA512
9006d9f9924e40f3750e7c57fb5b877608ea8e64604430052fa0c996de15bf290b7425a317d93d95e66a2bd4e8f00561620d8eaffca04e2400010e25f2e773c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpjkhm.exe

Filesize
4KB

MD5
c910a97bac72a537aa24144427c69290

SHA1
98382514ee34de89bdf8da5e0c136c5d0cb4097a

SHA256
4921031a6f9c7d20fe0a849eee9f16d792733fd34f32b346ac43098421093c43

SHA512
2440c8fa743ba50b3ed973fb514e5a636a0aad82fafa48415e840df18f44d6553d450edad7cb417623288b883ea6316fbe40a567bc7e3ca85035b9b03740bc1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsrpwoa

Filesize
5KB

MD5
b1eb9cee4d231da2b61529d7d08e1462

SHA1
a5899d003c42eb8217bf3ef0c6e5795817ee601b

SHA256
f819a228776b0f2f3b5842b4bd88ab443c7fb653e0ff956f4901d684d3bbe8c3

SHA512
8190ae6716d0aa64af9f44990faaee1b7c27fc8881006dcd43a02de03a93f21ddf7757084c601b4cf450e2e61d7e714283e8be23f4d0ff533b5a913800078f7f

Download Submit
memory/2380-8-0x0000000000680000-0x0000000000682000-memory.dmp

Filesize
8KB

Download