Analysis
-
max time kernel
94s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:57
Static task
static1
Behavioral task
behavioral1
Sample
2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe
Resource
win10v2004-20241007-en
General
-
Target
2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe
-
Size
619KB
-
MD5
df9223ad9ab9d96a33f9bae395d60fe9
-
SHA1
701c313f84dcb2dc99486d901d30fecc8eb8b485
-
SHA256
2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117
-
SHA512
17b102052b34b06224ad3d0a29b0c123650908d856e28f3ca979fcc34ffbeb24aa8b2a6fb6fd1a05d68b72db8c4e767ab80972717cc174bf3db1d1030243297e
-
SSDEEP
12288:coD30A+PVQ5zCD4VZRDGWF1m3aYhOA6eXVg:37+PVQ5zY431CaYAeXVg
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3692 2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe -
Executes dropped EXE 1 IoCs
pid Process 3692 2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 3408 2916 WerFault.exe 82 2572 3692 WerFault.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2916 2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3692 2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2916 wrote to memory of 3692 2916 2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe 90 PID 2916 wrote to memory of 3692 2916 2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe 90 PID 2916 wrote to memory of 3692 2916 2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe"C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 3962⤵
- Program crash
PID:3408
-
-
C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exeC:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3692 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 3643⤵
- Program crash
PID:2572
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2916 -ip 29161⤵PID:3524
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3692 -ip 36921⤵PID:3616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe
Filesize619KB
MD5575c192f028e3517cf5183da7f89b1a6
SHA10edfe6be93c52fcb5560c20cede61b9742c49271
SHA2564887e86ec32ff5d838892b52c44bed85d5165f2d843de9ede314ce9e1ad40fdc
SHA512f078c93505832ac03baf9147a77a72e7fe409c39f9794751c46441076068c853b5152bb731598782f5523e626d906365288691d0b2f384ce177acafed82b6162