Analysis

  • max time kernel
    94s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 20:57

General

  • Target

    2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe

  • Size

    619KB

  • MD5

    df9223ad9ab9d96a33f9bae395d60fe9

  • SHA1

    701c313f84dcb2dc99486d901d30fecc8eb8b485

  • SHA256

    2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117

  • SHA512

    17b102052b34b06224ad3d0a29b0c123650908d856e28f3ca979fcc34ffbeb24aa8b2a6fb6fd1a05d68b72db8c4e767ab80972717cc174bf3db1d1030243297e

  • SSDEEP

    12288:coD30A+PVQ5zCD4VZRDGWF1m3aYhOA6eXVg:37+PVQ5zY431CaYAeXVg

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe
    "C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 396
      2⤵
      • Program crash
      PID:3408
    • C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe
      C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of UnmapMainImage
      PID:3692
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 364
        3⤵
        • Program crash
        PID:2572
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2916 -ip 2916
    1⤵
      PID:3524
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3692 -ip 3692
      1⤵
        PID:3616

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe

              Filesize

              619KB

              MD5

              575c192f028e3517cf5183da7f89b1a6

              SHA1

              0edfe6be93c52fcb5560c20cede61b9742c49271

              SHA256

              4887e86ec32ff5d838892b52c44bed85d5165f2d843de9ede314ce9e1ad40fdc

              SHA512

              f078c93505832ac03baf9147a77a72e7fe409c39f9794751c46441076068c853b5152bb731598782f5523e626d906365288691d0b2f384ce177acafed82b6162

            • memory/2916-0-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

            • memory/2916-8-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

            • memory/3692-7-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

            • memory/3692-14-0x00000000014E0000-0x0000000001522000-memory.dmp

              Filesize

              264KB

            • memory/3692-9-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

            • memory/3692-15-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB