8366f77c935b2e69de39caac11507cc0ad2ac8eba6ebd70fa04c65b99b19225f

Analysis

max time kernel
148s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO -96778097 HHIC 137 IMO 9730086-HYU24111103-프로젝트 순서.exe
Size

1.7MB
MD5

4302ff3ce4d3f174a2a6f6b4d6bbef32
SHA1

3039a7ebfc83cc920790ca4ee7d18a0b332437ed
SHA256

8082ea9624bb02dd681c092c1fbddf363c145b8a633441dde6170e7eb151d8ef
SHA512

228fe4cdd9f49da7830a4266737f7b16b666c08f3e01ab09a8e7934864d25142c2691e9360efced6787900693429970faa44b3c065104104101e3b9b792940fe
SSDEEP

49152:7JZoQrbTFZY1iaCtkWTTglQ4v5Hs2ydsx/wwRW:7trbTA1ik7v5HDRW

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conged.vbs	conged.exe

Executes dropped EXE 1 IoCs

pid	Process
2192	conged.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0002000000022ab7-14.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2980	2192	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO -96778097 HHIC 137 IMO 9730086-HYU24111103-프로젝트 순서.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conged.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 2192	1444	PO -96778097 HHIC 137 IMO 9730086-HYU24111103-프로젝트 순서.exe	86
PID 1444 wrote to memory of 2192	1444	PO -96778097 HHIC 137 IMO 9730086-HYU24111103-프로젝트 순서.exe	86
PID 1444 wrote to memory of 2192	1444	PO -96778097 HHIC 137 IMO 9730086-HYU24111103-프로젝트 순서.exe	86
PID 2192 wrote to memory of 468	2192	conged.exe	88
PID 2192 wrote to memory of 468	2192	conged.exe	88
PID 2192 wrote to memory of 468	2192	conged.exe	88

C:\Users\Admin\AppData\Local\Temp\PO -96778097 HHIC 137 IMO 9730086-HYU24111103-프로젝트 순서.exe
"C:\Users\Admin\AppData\Local\Temp\PO -96778097 HHIC 137 IMO 9730086-HYU24111103-프로젝트 순서.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\troopwise\conged.exe
  "C:\Users\Admin\AppData\Local\Temp\PO -96778097 HHIC 137 IMO 9730086-HYU24111103-프로젝트 순서.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\PO -96778097 HHIC 137 IMO 9730086-HYU24111103-프로젝트 순서.exe"
    3⤵
    PID:468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 744
    3⤵
    - Program crash
    PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2192 -ip 2192
1⤵
PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\emboweling

Filesize
168KB

MD5
2b734a58eb90ba53ae46a5fc2dccb0e0

SHA1
084a6e84de6f1fac75f0cf77242f731eb7440c40

SHA256
df08a2a8994a3ada1866d1bf78e039b645c104c88f432db8a137c6dd9189dd89

SHA512
52a13baba5e892d3f5f8488f5b55e3083a236ac3d9611a8a711e454844e700f9791918af99b27a31532c0c5c012ebb4eb9bad06afe1b2890f0ab9ad0807c2d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\outbluffed

Filesize
1.5MB

MD5
d922b5db9e0a93881d57340da2135bb9

SHA1
40841c814c434e8e58d9493c33c550d20b257698

SHA256
4318a0ca20a76b77ce8fc53b4b1a9320366abb2127173496f66490ccd1bc2f30

SHA512
c7e58d769cb02a33b24d60e051475052bc72b5254e69414e15946af89407e8faef3f0d8eca6478870d8ead75566c279c9c783d3ba648290dfe4d64519e33fd95

Download Submit
C:\Users\Admin\AppData\Local\troopwise\conged.exe

Filesize
1.7MB

MD5
4302ff3ce4d3f174a2a6f6b4d6bbef32

SHA1
3039a7ebfc83cc920790ca4ee7d18a0b332437ed

SHA256
8082ea9624bb02dd681c092c1fbddf363c145b8a633441dde6170e7eb151d8ef

SHA512
228fe4cdd9f49da7830a4266737f7b16b666c08f3e01ab09a8e7934864d25142c2691e9360efced6787900693429970faa44b3c065104104101e3b9b792940fe

Download Submit
memory/1444-11-0x0000000003D10000-0x0000000003F10000-memory.dmp

Filesize
2.0MB

Download
memory/2192-29-0x0000000003C40000-0x0000000003E40000-memory.dmp

Filesize
2.0MB

Download