Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:47 UTC
Static task
static1
Behavioral task
behavioral1
Sample
118eaa0d54a0b2b63c2cf46557e71548cf6748741647e66bb126fb3fb01e9c27.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
118eaa0d54a0b2b63c2cf46557e71548cf6748741647e66bb126fb3fb01e9c27.exe
Resource
win10v2004-20241007-en
General
-
Target
118eaa0d54a0b2b63c2cf46557e71548cf6748741647e66bb126fb3fb01e9c27.exe
-
Size
89KB
-
MD5
0abc80ac3ed60ede55ab8bf1a9e7df07
-
SHA1
4baf9c7f3e3bf1891875eb40438401c53ff5edc7
-
SHA256
118eaa0d54a0b2b63c2cf46557e71548cf6748741647e66bb126fb3fb01e9c27
-
SHA512
f8689408b21c42e0857ace917e00c4f3ba7f79d18b104889412bdc1b2e6c781048a7167a37f008690b05413216f1cec1fbebfb1aa4f6cdfced1384c6432bf0d6
-
SSDEEP
1536:l9o65gQK3Zm+Mt9RV5O8oQ9cXFunGm6ManhFLnBqHan6owwosTk8vxA:l9o6fK2XqXQwhnHlqQo8Lvy
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 4396 2276 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 118eaa0d54a0b2b63c2cf46557e71548cf6748741647e66bb126fb3fb01e9c27.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winver.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2276 winver.exe 2276 winver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3420 Explorer.EXE Token: SeCreatePagefilePrivilege 3420 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2276 winver.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3420 Explorer.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1776 wrote to memory of 2276 1776 118eaa0d54a0b2b63c2cf46557e71548cf6748741647e66bb126fb3fb01e9c27.exe 83 PID 1776 wrote to memory of 2276 1776 118eaa0d54a0b2b63c2cf46557e71548cf6748741647e66bb126fb3fb01e9c27.exe 83 PID 1776 wrote to memory of 2276 1776 118eaa0d54a0b2b63c2cf46557e71548cf6748741647e66bb126fb3fb01e9c27.exe 83 PID 1776 wrote to memory of 2276 1776 118eaa0d54a0b2b63c2cf46557e71548cf6748741647e66bb126fb3fb01e9c27.exe 83 PID 2276 wrote to memory of 3420 2276 winver.exe 56 PID 2276 wrote to memory of 2776 2276 winver.exe 49
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2776
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3420 -
C:\Users\Admin\AppData\Local\Temp\118eaa0d54a0b2b63c2cf46557e71548cf6748741647e66bb126fb3fb01e9c27.exe"C:\Users\Admin\AppData\Local\Temp\118eaa0d54a0b2b63c2cf46557e71548cf6748741647e66bb126fb3fb01e9c27.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 6404⤵
- Program crash
PID:4396
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2276 -ip 22761⤵PID:5112
Network
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.180.4
-
Remote address:8.8.8.8:53Requestinsamertojertoq.ccIN AResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request138.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request53.210.109.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.42.69.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request106.209.201.84.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request21.236.111.52.in-addr.arpaIN PTRResponse
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
142.250.180.4
-
64 B 131 B 1 1
DNS Request
insamertojertoq.cc
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
138.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
53.210.109.20.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
241.42.69.40.in-addr.arpa
-
73 B 133 B 1 1
DNS Request
106.209.201.84.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
21.236.111.52.in-addr.arpa
-