Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 15:50
Static task
static1
Behavioral task
behavioral1
Sample
80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe
Resource
win10v2004-20241007-en
General
-
Target
80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe
-
Size
424KB
-
MD5
427f77d8ed22b8e092aa5b06578d9300
-
SHA1
6fa46ca549b8f52f21f769b4e19e5f8dd4a9ba57
-
SHA256
80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67
-
SHA512
89bd0577ed9b989c7792214de584255d600550638cddcc4194ec5160abc2b5c48745dac2c9623a27964a0807436e3d68d774565d69f65c984f8ac46ceeee0b89
-
SSDEEP
12288:v16h5mf3I2iwDzgn3Y5h6sriJdtt9ryg4Wr2:vQXa3Kw/gnShktt9WJo2
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2128 aEiNhOi06300.exe -
Executes dropped EXE 1 IoCs
pid Process 2128 aEiNhOi06300.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aEiNhOi06300 = "C:\\ProgramData\\aEiNhOi06300\\aEiNhOi06300.exe" aEiNhOi06300.exe -
resource yara_rule behavioral2/memory/548-1-0x0000000000400000-0x00000000004B3000-memory.dmp upx behavioral2/memory/548-3-0x0000000000400000-0x00000000004B3000-memory.dmp upx behavioral2/memory/548-6-0x0000000000400000-0x00000000004B3000-memory.dmp upx behavioral2/memory/548-5-0x0000000000400000-0x00000000004B3000-memory.dmp upx behavioral2/memory/2128-19-0x0000000000400000-0x00000000004B3000-memory.dmp upx behavioral2/memory/2128-20-0x0000000000400000-0x00000000004B3000-memory.dmp upx behavioral2/memory/548-24-0x0000000000400000-0x00000000004B3000-memory.dmp upx behavioral2/memory/2128-26-0x0000000000400000-0x00000000004B3000-memory.dmp upx behavioral2/memory/2128-34-0x0000000000400000-0x00000000004B3000-memory.dmp upx behavioral2/memory/548-45-0x0000000000400000-0x00000000004B3000-memory.dmp upx -
Program crash 27 IoCs
pid pid_target Process procid_target 208 548 WerFault.exe 83 4908 548 WerFault.exe 83 1640 548 WerFault.exe 83 3540 2128 WerFault.exe 91 3112 548 WerFault.exe 83 4780 2128 WerFault.exe 91 4968 548 WerFault.exe 83 2556 2128 WerFault.exe 91 3196 548 WerFault.exe 83 2620 2128 WerFault.exe 91 4884 2128 WerFault.exe 91 1452 548 WerFault.exe 83 4720 548 WerFault.exe 83 1004 2128 WerFault.exe 91 2728 548 WerFault.exe 83 4700 2128 WerFault.exe 91 2016 2128 WerFault.exe 91 3492 2128 WerFault.exe 91 3504 2128 WerFault.exe 91 4908 2128 WerFault.exe 91 5044 2128 WerFault.exe 91 3884 2128 WerFault.exe 91 4008 2128 WerFault.exe 91 3076 2128 WerFault.exe 91 4656 548 WerFault.exe 83 2776 548 WerFault.exe 83 5088 2128 WerFault.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aEiNhOi06300.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2128 aEiNhOi06300.exe 2128 aEiNhOi06300.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2128 aEiNhOi06300.exe 2128 aEiNhOi06300.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2128 aEiNhOi06300.exe 2128 aEiNhOi06300.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2128 aEiNhOi06300.exe 2128 aEiNhOi06300.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2128 aEiNhOi06300.exe 2128 aEiNhOi06300.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2128 aEiNhOi06300.exe 2128 aEiNhOi06300.exe 2128 aEiNhOi06300.exe 2128 aEiNhOi06300.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2128 aEiNhOi06300.exe 2128 aEiNhOi06300.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 2128 aEiNhOi06300.exe 2128 aEiNhOi06300.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe Token: SeDebugPrivilege 2128 aEiNhOi06300.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2128 aEiNhOi06300.exe 2128 aEiNhOi06300.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2128 aEiNhOi06300.exe 2128 aEiNhOi06300.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2128 aEiNhOi06300.exe 2128 aEiNhOi06300.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 548 wrote to memory of 2128 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 91 PID 548 wrote to memory of 2128 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 91 PID 548 wrote to memory of 2128 548 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe"C:\Users\Admin\AppData\Local\Temp\80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 5842⤵
- Program crash
PID:208
-
-
C:\ProgramData\aEiNhOi06300\aEiNhOi06300.exe"C:\ProgramData\aEiNhOi06300\aEiNhOi06300.exe" "C:\Users\Admin\AppData\Local\Temp\80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2128 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 6323⤵
- Program crash
PID:3540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 7843⤵
- Program crash
PID:4780
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 7843⤵
- Program crash
PID:2556
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 8163⤵
- Program crash
PID:2620
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 8243⤵
- Program crash
PID:4884
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 10043⤵
- Program crash
PID:1004
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 10403⤵
- Program crash
PID:4700
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 12243⤵
- Program crash
PID:2016
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 14123⤵
- Program crash
PID:3492
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 16243⤵
- Program crash
PID:3504
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 9523⤵
- Program crash
PID:4908
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 6683⤵
- Program crash
PID:5044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 16563⤵
- Program crash
PID:3884
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 18123⤵
- Program crash
PID:4008
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 18483⤵
- Program crash
PID:3076
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 7523⤵
- Program crash
PID:5088
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 6482⤵
- Program crash
PID:4908
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 8122⤵
- Program crash
PID:1640
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 8202⤵
- Program crash
PID:3112
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 8202⤵
- Program crash
PID:4968
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 8402⤵
- Program crash
PID:3196
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 9762⤵
- Program crash
PID:1452
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 10522⤵
- Program crash
PID:4720
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 12002⤵
- Program crash
PID:2728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 6722⤵
- Program crash
PID:4656
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 762⤵
- Program crash
PID:2776
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 548 -ip 5481⤵PID:4880
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 548 -ip 5481⤵PID:344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 548 -ip 5481⤵PID:1600
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2128 -ip 21281⤵PID:2068
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 548 -ip 5481⤵PID:2040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2128 -ip 21281⤵PID:2428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 548 -ip 5481⤵PID:764
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2128 -ip 21281⤵PID:1100
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 548 -ip 5481⤵PID:1192
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2128 -ip 21281⤵PID:1016
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2128 -ip 21281⤵PID:1764
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 548 -ip 5481⤵PID:1924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 548 -ip 5481⤵PID:4580
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2128 -ip 21281⤵PID:720
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 548 -ip 5481⤵PID:3508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2128 -ip 21281⤵PID:264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2128 -ip 21281⤵PID:3120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2128 -ip 21281⤵PID:1296
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2128 -ip 21281⤵PID:4804
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2128 -ip 21281⤵PID:4164
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2128 -ip 21281⤵PID:3776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2128 -ip 21281⤵PID:1672
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2128 -ip 21281⤵PID:2428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2128 -ip 21281⤵PID:764
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 548 -ip 5481⤵PID:2404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 548 -ip 5481⤵PID:4944
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2128 -ip 21281⤵PID:2276
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
424KB
MD5938c4ba1fa5227886b53f0aa7e621e55
SHA195885b14422ef1f5dc9a42b14b2d8679143766e0
SHA256fbb2fdf67593ddb8d94cc4e8cc9c891de4624b8596654bf73c740fcdf5f7c4a4
SHA51295a7cbfb74070783c0a369e46f69f2381ebcffb99552132bd556bff6ea9a5d8ba543f2e2d2e94217e31226c4ae765808a7ebdda35525ee3c1f16b96c1abc9fb1