137742d1bb597a2818431b1634f38a9d93069afc1657955ef7144c152eb26f86

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

643c1b8444da8c89fa83aed917307b6c.exe
Size

933KB
MD5

643c1b8444da8c89fa83aed917307b6c
SHA1

dda8fa31873ef7f27e22f712a2e0b6a7ae91a582
SHA256

137742d1bb597a2818431b1634f38a9d93069afc1657955ef7144c152eb26f86
SHA512

61636bf0eabf40ef8085a68170339184a73b7a3a528604853a75e577b549240de7a78a1c879757b510a13746184caf678d05e1e77c8c7a9241cbd7c2e2b87def
SSDEEP

12288:2dD2EUL1JUodNF0bzjryAqlBGWcz+izP1niQPqDEfRuLCMrecszC/:wD2EK1JzW3jGxBGDaizPkY6/mMScs2

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 6 IoCs

Processes:

643c1b8444da8c89fa83aed917307b6c.exe

pid	process
2452	643c1b8444da8c89fa83aed917307b6c.exe
2452	643c1b8444da8c89fa83aed917307b6c.exe
2452	643c1b8444da8c89fa83aed917307b6c.exe
2452	643c1b8444da8c89fa83aed917307b6c.exe
2452	643c1b8444da8c89fa83aed917307b6c.exe
2452	643c1b8444da8c89fa83aed917307b6c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2700 2452 WerFault.exe 643c1b8444da8c89fa83aed917307b6c.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

643c1b8444da8c89fa83aed917307b6c.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 643c1b8444da8c89fa83aed917307b6c.exe

pid	pid_target	process	target process
2700	2452	WerFault.exe	643c1b8444da8c89fa83aed917307b6c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	643c1b8444da8c89fa83aed917307b6c.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

643c1b8444da8c89fa83aed917307b6c.exe

description	pid	process	target process
PID 2452 wrote to memory of 2700	2452	643c1b8444da8c89fa83aed917307b6c.exe	WerFault.exe
PID 2452 wrote to memory of 2700	2452	643c1b8444da8c89fa83aed917307b6c.exe	WerFault.exe
PID 2452 wrote to memory of 2700	2452	643c1b8444da8c89fa83aed917307b6c.exe	WerFault.exe
PID 2452 wrote to memory of 2700	2452	643c1b8444da8c89fa83aed917307b6c.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe
"C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 524
  2⤵
  - Program crash
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nso9B95.tmp\LangDLL.dll

Filesize
5KB

MD5
61f69388ae89d61a3d838cbcf81b4f82

SHA1
e595c0236a373a6ac79c334dc183ee03ca8f8ecd

SHA256
d65875bb4bc121f81384d55fde90dd9eb9ad1878cd8a02bcb5c8a933c3987a61

SHA512
21d34738cc21c1ef6b0ef1ac53659cdab224bbc20ea983f9a952a2cb4b5785a07bb18c0acf22a0d12a94795e1fc6d314f442c923bb1a93b675edac8c6aacf469

Download Submit
\Users\Admin\AppData\Local\Temp\nso9B95.tmp\System.dll

Filesize
11KB

MD5
4ca4fd3fbefa2f6e87e6e9ee87d1c0b3

SHA1
7cdbeb5ff2b14b86af04e075d0ca651183ea5df4

SHA256
d09a8b3ade4ba4b7292c0b3da1bcb4b6c6e2012e0ccfd5e029a54af73a9e1b57

SHA512
cf0f415a97fdc74568297fed4f1295d0d2aef487a308141144ef8d5f04c669ef4795c273e745b81065429adde113fcdedf4c22717a7aeef60fdcd8d4d46f97f8

Download Submit
memory/2452-35-0x0000000003F70000-0x000000000500E000-memory.dmp

Filesize
16.6MB

Download
memory/2452-36-0x0000000003F70000-0x000000000500E000-memory.dmp

Filesize
16.6MB

Download