c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe
Size

205KB
MD5

03391529051474aa9bddad0823cfed50
SHA1

cb4c154ace7a7b787a296f49f219d79e5b53a703
SHA256

c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8
SHA512

6ba1396e49adf0eabdf2f530b92c465e51e1fb01a4550ef37f2bad99a57bf2419837ba4fce7f1d4a94d0f33a99636bfe336d76e9f8d514a1a3c3dae46b943180
SSDEEP

3072:0IXqry+d3DxQcv7zhWPk65Ui8BhmqjNj8DCUNUO42YwHdKpUUzE0mu87dw:dQCcv7Mk6bgL5jMCeU3dRCUI0mu8

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2672	c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sshnas21.dll	c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3268	2672	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2672	c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe

C:\Users\Admin\AppData\Local\Temp\c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe
"C:\Users\Admin\AppData\Local\Temp\c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 764
  2⤵
  - Program crash
  PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2672 -ip 2672
1⤵
PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sshnas21.dll

Filesize
168KB

MD5
caed3112296a712c1e494b9dc3b4231b

SHA1
f92d258b3b87a649f2058a0e8d67d240e67c8771

SHA256
63e60a191f53b023956902976d8a6cce61a3e9c1d59aa27a6555a1fed789402f

SHA512
8b9461911082a6e55762ad967e5d34f3bf4e8a0f8fb554b2e0459622840e207c23bf842aaef574be58badec02b7918774c897f293afb67e744ee39754c16e5ab

Download Submit
memory/2672-1-0x0000000002270000-0x0000000002295000-memory.dmp

Filesize
148KB

Download
memory/2672-2-0x0000000000404000-0x0000000000405000-memory.dmp

Filesize
4KB

Download
memory/2672-9-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2672-10-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download