Analysis
-
max time kernel
101s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 11:36
Static task
static1
Behavioral task
behavioral1
Sample
712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe
Resource
win10v2004-20241007-en
General
-
Target
712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe
-
Size
376KB
-
MD5
7eda0c1fc67c5ead8bcd2ce416e32f80
-
SHA1
95ac24f1d0117b95b0dc2576d718b972b03349b0
-
SHA256
712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1
-
SHA512
15b0e2815f15b950c012a48c3a09fe024432a4048be0cda124bd64a331d863af435a6caabfbada8c3d294a13dd71415505dd1b93d3a6c785b2afdc713dfe6974
-
SSDEEP
6144:0/rdtbLPUgwRPx2eNAvC2EeHMulFGg+0LgMxU/EwGJkxYlyX7ywBASWnQdFydgif:0/LzUDVx9NASkWRMSGJ6XuuVWQdFag53
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3960 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4620 set thread context of 3960 4620 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe 90 -
Program crash 1 IoCs
pid pid_target Process procid_target 4528 3960 WerFault.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4620 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4620 wrote to memory of 4860 4620 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe 87 PID 4620 wrote to memory of 4860 4620 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe 87 PID 4620 wrote to memory of 4860 4620 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe 87 PID 4860 wrote to memory of 2176 4860 csc.exe 89 PID 4860 wrote to memory of 2176 4860 csc.exe 89 PID 4860 wrote to memory of 2176 4860 csc.exe 89 PID 4620 wrote to memory of 3960 4620 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe 90 PID 4620 wrote to memory of 3960 4620 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe 90 PID 4620 wrote to memory of 3960 4620 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe 90 PID 4620 wrote to memory of 3960 4620 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe"C:\Users\Admin\AppData\Local\Temp\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sg2sluoe.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4D7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC4D6.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2176
-
-
-
C:\Users\Admin\AppData\Roaming\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exeC:\Users\Admin\AppData\Roaming\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe2⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 123⤵
- Program crash
PID:4528
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3960 -ip 39601⤵PID:3292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5741978141cb7efb4d6381d445cc03291
SHA199cbd06cb66c403ecb913e035504ec94bf8644de
SHA256a64bd8c3d880cf6dec97a1d701eedf4d9e6436ec8c5716f378ce9e50743d9267
SHA51233b918283b394aa33001e95f34ab537e2ecb56df7a7101912fe950ae9f8ab7f6065fc815527f0e0a3381c96a8f666d3dd89b97cb9d9f78cac777fffac85e0c9b
-
Filesize
5KB
MD50cb827a60bd57d2e368d0e145f5ccdb1
SHA11be1858fa5d9f9697e1b636a43ef807860a1bd68
SHA2565b66fd361e3d97d975ffc2cb6eb5ffb3215018c0056a85cb9ab06ed558e29bb6
SHA512e40b2017fef7e0c851728eccb75c5b4075826c97d70c3f4f6bcffb2275a86929b85ef7b7dce215caa883c887ee675d9dc2b030bf81d23be2b81ae273542e1147
-
C:\Users\Admin\AppData\Roaming\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe
Filesize6KB
MD5d89fdbb4172cee2b2f41033e62c677d6
SHA1c1917b579551f0915f1a0a8e8e3c7a6809284e6b
SHA2562cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383
SHA51248941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed
-
Filesize
652B
MD522dbfae4ccd63a09314b166cf87af127
SHA1debb4fe76e4fb960e73425644de9c188d5e6e78d
SHA2560b8be3c5795932a23913c1b95599f532dd8879eb907aeee553d0ce0d773e9f71
SHA512babb7bd0b49569953017091a9ed29b4fa2f273b99fbd0b41bfeaf51808ed51faa63379c9a09f5d1ae791389ef2cb84fd8a919d3076c783a65fe9b3b3c18bae90
-
Filesize
5KB
MD5cb25540570735d26bf391e8b54579396
SHA1135651d49409214d21348bb879f7973384a7a8cb
SHA256922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743
SHA512553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080
-
Filesize
206B
MD5dae7a3d5309991ace32f45d20a746c02
SHA1019c0d21b0776e29598e0d9df13c925a0bbc12c6
SHA256ac51058c6b610116731cc3e4b7238a182d6e0b919c902251a13b6818a9211ac9
SHA512122b2c90171400b03e1ed312a217dae830fb3c7628ccc06b95f4dfa78ff3a537309023c5a898ad4a1eed6bcd90de827ba719525bb831fc6af0718f7c7d9c5bcb