Analysis

  • max time kernel
    135s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/11/2024, 09:27

General

  • Target

    ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe

  • Size

    1.4MB

  • MD5

    83e7ad8161455e90c7c32051be5dd529

  • SHA1

    443ffb5d55631689b0d5c43d2bd5426f2ce24e59

  • SHA256

    ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d

  • SHA512

    916a2c9e3f26b9fd6f338adee5eed101c9cb874f952c51fafbe9084ebbccb9ed84faa73d23af4afeeb41861f24553dce7f8cc8c2c19028b5a496ddf455fb3b82

  • SSDEEP

    24576:/qDEvCTbMWu7rQYlBQcBiT6rprG8aaf/49lT9X1U0da2vejCBDToJ:/TvC/MTQYxsWR7aafoe6DejCBvo

Score
7/10

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 25 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe
    "C:\Users\Admin\AppData\Local\Temp\ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3616
    • C:\Users\Admin\AppData\Local\Okeghem\Esher.exe
      "C:\Users\Admin\AppData\Local\Temp\ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4416
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe"
        3⤵
          PID:336
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 696
          3⤵
          • Program crash
          PID:4752
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4416 -ip 4416
      1⤵
        PID:3960

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Okeghem\Esher.exe

              Filesize

              1.4MB

              MD5

              83e7ad8161455e90c7c32051be5dd529

              SHA1

              443ffb5d55631689b0d5c43d2bd5426f2ce24e59

              SHA256

              ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d

              SHA512

              916a2c9e3f26b9fd6f338adee5eed101c9cb874f952c51fafbe9084ebbccb9ed84faa73d23af4afeeb41861f24553dce7f8cc8c2c19028b5a496ddf455fb3b82

            • C:\Users\Admin\AppData\Local\Temp\totten

              Filesize

              205KB

              MD5

              fa24d82f7d5a910009bc5b8c41050fb7

              SHA1

              cf55405e7010ef3af8ef30e796933b30cb1e8715

              SHA256

              c2795222b48b13f6730585052854d55fb1ac252a652f3a3458974babb5f24d1c

              SHA512

              5be7d8da99f266a6559496ed4cbda76a2585e24dfe5d081467b1d136360c91fc492e8cb1750eb8362cd7ddf3e046f7362a980cf02039b8c53c060b5cdc7edb02

            • memory/3616-2-0x0000000000EA0000-0x00000000012A0000-memory.dmp

              Filesize

              4.0MB

            • memory/4416-10-0x0000000001400000-0x0000000001800000-memory.dmp

              Filesize

              4.0MB