Analysis
-
max time kernel
135s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2024 08:24
Behavioral task
behavioral1
Sample
a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe
Resource
win10v2004-20241007-en
General
-
Target
a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe
-
Size
8.7MB
-
MD5
1e2b162c2e47cc8d0027d87a2be80fb2
-
SHA1
295516b1552baf25770dcb593c26e66f68d73fdb
-
SHA256
a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50
-
SHA512
4a4305dae0c2cf58c27035e82643f1f901620712516ae94ce6b3ec36f166d99434ba038ce386e3154e642e7f91b8e786344aa35b8d8eb8b5a0b4cb494643718a
-
SSDEEP
196608:D+XY+H6QTLMMiUs5n7W99q7riZINE5MLXthfMcR5u7JhepRsBVximgEyVFAcm2nR:D+XY+XJClW7KrSINEI0468
Malware Config
Signatures
-
Loads dropped DLL 16 IoCs
Processes:
a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exepid Process 1676 a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe 1676 a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe 1676 a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe 1676 a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe 1676 a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe 1676 a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe 1676 a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe 1676 a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe 1676 a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe 1676 a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe 1676 a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe 1676 a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe 1676 a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe 1676 a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe 1676 a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe 1676 a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1524 1676 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exea5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exedescription pid Process Token: 35 1676 a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exedescription pid Process procid_target PID 1172 wrote to memory of 1676 1172 a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe 85 PID 1172 wrote to memory of 1676 1172 a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe 85 PID 1172 wrote to memory of 1676 1172 a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe"C:\Users\Admin\AppData\Local\Temp\a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Users\Admin\AppData\Local\Temp\a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe"C:\Users\Admin\AppData\Local\Temp\a5fead260ed164d0df541b1548ca9a05ce4a73e53ba9ec8adaa6c2c006e8ba50.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1676 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 6403⤵
- Program crash
PID:1524
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1676 -ip 16761⤵PID:1400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81KB
MD555c8e69dab59e56951d31350d7a94011
SHA1b6af2d245ae4d67c38eb1cd31e0c1cffb29b9b2c
SHA2569d8d21022ff9d3f6b81a45209662a4f3481edc2befae0c73b83cf942eab8be25
SHA512efb2ac1891724df16268480628eb230b6ee37ed47b56d2e02a260559865cdd48ee340ce445e58f625e0f4d6dbdc5bfb7ce2eeedf564b837cff255ef7d1dc58cd
-
Filesize
152KB
MD50c6f3ae411e82b37ab4d6fbc22a3ef7c
SHA18ac797b5a703a1f10ec10e1ecc8c04d6aaebcafd
SHA25633a5ab6c627527887b82058c4dbfbfd5d88bbf187302e73aa3169b81e12cba40
SHA51248385d18cc1ef13a9b68c3e9450d1980f0bd9ef466c44c94350e418f7daea86f97e60ab5de8a43d2efc34ab49c47cbe87c6ef35679473528a1840e940e3cdad2
-
Filesize
24KB
MD5a9918e714e28a0d4a167c4a73f554d81
SHA169a4fef9eb1e3bc779bece2ab946e2604dad419a
SHA256661aa7ab2cd173b112fef560a3bf63a87c906c8b184cb261632c5a32c6c25185
SHA5122d295fb57021f1cb9cdf15aaabbaf6a7393f918f675c3bfea58a2205ba948ce15a787254008ba7b146eb55474b24e772b2886fee4e3f98a68011df54ff5d4408
-
Filesize
16KB
MD50c637a3df9380c487613bca1c6c9f741
SHA1f958597c6503599964e26d8df7d4804bb3993c0e
SHA2569774e28ffca8b222f32afca5a34bfefb01e53188630be7cffcf615b3a068b0c1
SHA512e0e5f3814d6942e96fb21cc3ea42b523cfafcf3c32b9ffa1a8a05631c85b45226a7523546cd13a22998e71498ae6e1c051d84f6335391cc80990702d4780188d
-
Filesize
57KB
MD52e407bb1a3a58191c0f68c1ec3cd5b36
SHA1bb5998b7113dcb2b2229a8c6e35ddb6b09ddbf91
SHA2562ba14eda8ac2189ee7c0b136f653030c5078deaf3a792ee47e9b9a4b859a0675
SHA51247d4bdc956916c0444984a42dce9713cefb06053eea24010721f41b3a5ec2b8e15c16a80531a84ee12067b7283d332356ca69cd6b9c51a07d7ce3ee139869fb6
-
Filesize
60KB
MD5f1218553c9cac6b919bc02fb1797bf13
SHA186fda1e8e284aebdb8759b8f969cedf5ae8358e4
SHA256c219f1422e72e14e821fe15acea9593cfa05dfe20ba177085784d858df3895ef
SHA5125799823767d0d72dca0ee970f32c60b6a7c5a9a19a20c19371e8832eb984124b1824cb340bcf04082508ed60fa1e74f026e5ee88928bb2e0392fb2ce30cc68f6
-
Filesize
760KB
MD5fd5fe899ed57da817989475a9fa80b17
SHA1c0a99e0b7c9c182384d38905193182355a65a053
SHA256f3a57a4a006a3e6b9b335d1593f39f9dacdb61fc46d0c5e416dd10bf41e6c663
SHA5123460cd47a3ff27b433a122a302afbd535918ba528ab8e24b71a3b25f118b5c67d4a2f83710f89c1c7f04543d6684fe0ad23ddb64a2c7ffe19ac8244f1d25ab49
-
Filesize
2.8MB
MD52e94d89f4bc1a67e750d6f0805c21b40
SHA1758c4921e4aed1053d5e970fc3e42123abcdb6c6
SHA2565c9ca3556e7fb2cfd85e8994c6aa19ccbdb57247d39183c542beade9658dff1d
SHA512ed7fd7fc08a53ed54c8750bcce8e8d5bd76029b4fbc78eec4779776b6c5ef955631547e83a9c6bcfd59d830ba05b4fc85ac18146566f29c85725384298e304b5
-
Filesize
1.3MB
MD5656648dec6c8869cd06ce78f925d2ef0
SHA1eff515fdebee02707c48f785938d7714588f050e
SHA25685d4d4359fe3a74b04d9c6faebe95a37a9327a5101b0d8b2a394b23362914c6a
SHA512995527a74a0fbe1ffd8c16c598c203b64af3bfaf99c1d99428d8cf7aa08246c5c8001bdced892dd64ae35f64536612cbfe2db32fa953ae1b52abcfc97b8aeaa4
-
Filesize
2.4MB
MD5c5683ecbe1584f225b666a54c95ce73f
SHA1014430aabc070c583441aa121291f9bb06dae670
SHA2560054ced974ae447c3d6e9ca312feb8a0a5dcca81dd92e940d3d8276add3e2f00
SHA512f46472ba5276a0d6c5826d158e24224e2c2de285807999cf90d3793f6c8a103de9f412de9cefa56b24a18ef3996cc695ba437d8957b87bfd0ee7e7810909cdbe
-
Filesize
50KB
MD5d099405b08a79927f08ab28246810866
SHA11af78315a6cf2d1fdc6555b568118c174658d104
SHA256b51c88ac791ed574edfb2e346095fbc296a2c36250c2bffdd28bb424d8135ae7
SHA5127874b354792d2244d1484367ef6a6ab09d620d431c812f206c4c976b81433d6c4f17d14d1f642622271c15931f190e3aa9042245873faa51d36705aad578562c
-
Filesize
2.9MB
MD5286dd0bde2b853a611e7e193a28d411d
SHA1460eb1717bff4e358cbf10d73b779f475a36e11d
SHA2565a2547ffc53680bca395e61714e36f35f25ddd7099e1e7ee0bda04865e9012b6
SHA512f900c830592ff64145bde86ed7331bf6655a6ed12b55bdedf7666e5d96bf53865637ae08e62541b06211952887db0d229c47e30447ac3f9567d31c3f3730a2fe
-
Filesize
115KB
MD577719818e673e7fa6e1c570859530fb7
SHA15f4d3ee11c55f561924c9a3261fb7b5067b2e2c4
SHA25615744c8a510b30c7574d4a687ab42e934b9dbc43ba64fa0ed0d6b4e4a68dc81d
SHA51285a58f98c5759eadc37f4c606a1b717c3618bfd46113361805f2b893e0146399bb3ddd112f2ec7da029f9ba5e2e23ba604f775497db40209547e7f99eb7fe71f
-
Filesize
16KB
MD51997b89ddd2df6c3b4fcf6f05ab15aab
SHA1cde9100e69cfa8020328db4c56824dbcdab3e9f1
SHA256f94e54d25ba8c9c41ee2496a1887df215b7ca5b4f8ee47aa7db98168a2498b60
SHA5123110dac4d9430dddda868e54eb6de1865e88e4e5a912fc4d267eee1f84712aa7103c71119a2cc43f7eb15287073725e69d7e7f102a32936fdb85530521eedd2b
-
Filesize
1.1MB
MD5d2611a4ecb84a924b53e6175e81dd923
SHA13d7dd01e3f7e851a689a2180cf0df7c1a230e3f7
SHA256d2e2270be83e25a1895407cf087b5dbfdf1c82478dc19d7e4e6ac00060a2e121
SHA51278cff3a5905e64ee162806e63c229593cd332e47bcf0044c9a8aed9b92d3bc11d6c90673ebdd0c6764d7c4db9455a6c7eeea241c062c70e302b81afcd1eae6e6
-
Filesize
1.1MB
MD56343ff7874ba03f78bb0dfe20b45f817
SHA182221a9ac1c1b8006f3f5e8539e74e3308f10bcb
SHA2566f8f05993b8a25cadf5e301e58194c4d23402e467229b12e40956e4f128588b3
SHA51263c3d3207577d4761103daf3f9901dd0a0ae8a89694ad1128fd7e054627cdd930d1020049317c5a898411735e2f75e2103ae303e7e514b6387a3c8463a4fb994
-
Filesize
105KB
MD58922e3edd7e8a956d5992f1b23b13926
SHA1c98507e702395abba0add66e23461edef18c8a9e
SHA256b4acd9df9ee1ad1df6ea247695bf980d3d60e2ce4a8b163101f4dfb2530eb097
SHA512724ba6ff0b1ecae8cf44d86568ac5fce7d3318dd50a5e164af964ba20fb0338ad2f7b6e44b4438ebaafb4e988a91c9fe88aee91aae234019f81d0434cac2f381