95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8d

Analysis

max time kernel
118s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2024 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe
Size

832KB
MD5

d6d0b92116e48490912cdea061168b90
SHA1

69841f41fa1159d56f7e8b91d93485f5263bbd81
SHA256

95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8d
SHA512

cc68c411612c7046708a67566a0331ce9a708d486b69decbd1797246e6cb0164e5d1baaa6d001cf5851afa3402d6dff148b5201f3b433dd7dcf27ffd744ae0e3
SSDEEP

12288:aIsHJYKRhcNKFH9cor6D9d9pA6etej3uC+IOJ5D9d9pA20ER1Oxffk:amUH9corgZKnJpx0Xhk

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3008	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe

Executes dropped EXE 1 IoCs

pid	Process
3008	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 21 IoCs

pid	pid_target	Process	procid_target
532	4984	WerFault.exe	81
5088	3008	WerFault.exe	85
4016	3008	WerFault.exe	85
4816	3008	WerFault.exe	85
4788	3008	WerFault.exe	85
716	3008	WerFault.exe	85
3752	3008	WerFault.exe	85
3736	3008	WerFault.exe	85
4536	3008	WerFault.exe	85
4876	3008	WerFault.exe	85
5028	3008	WerFault.exe	85
4384	3008	WerFault.exe	85
3256	3008	WerFault.exe	85
4588	3008	WerFault.exe	85
3424	3008	WerFault.exe	85
2596	3008	WerFault.exe	85
1948	3008	WerFault.exe	85
4572	3008	WerFault.exe	85
944	3008	WerFault.exe	85
1572	3008	WerFault.exe	85
3960	3008	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4984	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3008	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3008	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 3008	4984	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe	85
PID 4984 wrote to memory of 3008	4984	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe	85
PID 4984 wrote to memory of 3008	4984	95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe	85

C:\Users\Admin\AppData\Local\Temp\95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe
"C:\Users\Admin\AppData\Local\Temp\95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 384
  2⤵
  - Program crash
  PID:532
- C:\Users\Admin\AppData\Local\Temp\95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe
  C:\Users\Admin\AppData\Local\Temp\95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of UnmapMainImage
  PID:3008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 352
    3⤵
    - Program crash
    PID:5088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 912
    3⤵
    - Program crash
    PID:4016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1176
    3⤵
    - Program crash
    PID:4816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1224
    3⤵
    - Program crash
    PID:4788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1216
    3⤵
    - Program crash
    PID:716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1316
    3⤵
    - Program crash
    PID:3752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1404
    3⤵
    - Program crash
    PID:3736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1324
    3⤵
    - Program crash
    PID:4536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1512
    3⤵
    - Program crash
    PID:4876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1508
    3⤵
    - Program crash
    PID:5028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1520
    3⤵
    - Program crash
    PID:4384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1524
    3⤵
    - Program crash
    PID:3256
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1664
    3⤵
    - Program crash
    PID:4588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1788
    3⤵
    - Program crash
    PID:3424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1936
    3⤵
    - Program crash
    PID:2596
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1936
    3⤵
    - Program crash
    PID:1948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1492
    3⤵
    - Program crash
    PID:4572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 2192
    3⤵
    - Program crash
    PID:944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 2464
    3⤵
    - Program crash
    PID:1572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1624
    3⤵
    - Program crash
    PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4984 -ip 4984
1⤵
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3008 -ip 3008
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3008 -ip 3008
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3008 -ip 3008
1⤵
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3008 -ip 3008
1⤵
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3008 -ip 3008
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3008 -ip 3008
1⤵
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3008 -ip 3008
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3008 -ip 3008
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3008 -ip 3008
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3008 -ip 3008
1⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3008 -ip 3008
1⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3008 -ip 3008
1⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3008 -ip 3008
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3008 -ip 3008
1⤵
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3008 -ip 3008
1⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3008 -ip 3008
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3008 -ip 3008
1⤵
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3008 -ip 3008
1⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3008 -ip 3008
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3008 -ip 3008
1⤵
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\95392213fe37d1335019a10016946db42c63f93ea770491226439e9b59dd2b8dN.exe

Filesize
832KB

MD5
77be7d0009b7adbbf3146f38f38fa849

SHA1
fa8b40c3b380ef18f2374d1e1bdfd934d69fe3e0

SHA256
b267e249f2f21ea034ed3ab6835b83b5f4a6e281e6dae7a576a8a9115197d059

SHA512
bf06bdc2a951fc50a6885e5693cecfc7ac22424e80a63a4ae592dd7371213e07fa2e2334e0e04435394cdc6c3f8eb392df5fa87ce8f55b30ce444e90e4fb5bb1

Download Submit
memory/3008-7-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3008-8-0x0000000001510000-0x0000000001546000-memory.dmp

Filesize
216KB

Download
memory/3008-9-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3008-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4984-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4984-6-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download