97c23a0f4154323fe10548efd380d4e86af56b7992dd7d204ded4133db6c74c1

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

is161020.exe
Size

50KB
MD5

40f554e56880109834b83ab802875467
SHA1

e28e9e1a21d54230bc3dd7cc06e2f12e7316c7e6
SHA256

1f7ba302b943fa8f3a602d3212967b5aed16f9e5456cf407d0c4b3fd2bfe69d8
SHA512

fdbcffadb8ca00c0cceb71b25121329d3ccc8b71f8928f46be1cdb7f043549d7c4c1f6d91f6a1042eeee8c24f4f1a6854a7890878aa7a7e501c7205cde6be345
SSDEEP

1536:PX8WXtK1GTkFPogltzXW23p3YIyUWmyTLfaN:Bw1GYOgltz3SIyUlmj8

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1708	3028	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is161020.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 1708	3028	is161020.exe	30
PID 3028 wrote to memory of 1708	3028	is161020.exe	30
PID 3028 wrote to memory of 1708	3028	is161020.exe	30
PID 3028 wrote to memory of 1708	3028	is161020.exe	30

C:\Users\Admin\AppData\Local\Temp\is161020.exe
"C:\Users\Admin\AppData\Local\Temp\is161020.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 88
  2⤵
  - Program crash
  PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3028-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3028-1-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/3028-2-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download