5a7a7f395371aa848157cef116e5d86bb7299c8f5859c9f25704175cce61821c

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DOCS MENEN Gebrüder Weiss.exe
Size

699KB
MD5

63d2f97a6de92084873293a617e685db
SHA1

423997f0830a1f833d7c1e6b615ac84850b298a1
SHA256

a754c8899bf9ffc378d8fe239a58b0154bd9fc7cf8b2f2fdc1b1103885a70c99
SHA512

2954eb36e39cbfa18c024dae9536d42b4f2eecf16bf3db623e0efc3f1a7ba02f9df4a1831abb4315b03b83c7497278b10f8001ea484cc31da8352f265f214743
SSDEEP

12288:E3cAEjow+kXtp28J4cGUhl+n0kbd6t21Rwm3+9rtQEFoxB50+tNADhZebeEkO/:E3cAEjow+kXf28J4cGeAn0Ttzm3EruEa

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2112	DOCS MENEN Gebrüder Weiss.exe
2112	DOCS MENEN Gebrüder Weiss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2956	2112	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOCS MENEN Gebrüder Weiss.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2956	2112	DOCS MENEN Gebrüder Weiss.exe	31
PID 2112 wrote to memory of 2956	2112	DOCS MENEN Gebrüder Weiss.exe	31
PID 2112 wrote to memory of 2956	2112	DOCS MENEN Gebrüder Weiss.exe	31
PID 2112 wrote to memory of 2956	2112	DOCS MENEN Gebrüder Weiss.exe	31

C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe
"C:\Users\Admin\AppData\Local\Temp\DOCS MENEN Gebrüder Weiss.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 528
  2⤵
  - Program crash
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nstCBDC.tmp

Filesize
1B

MD5
8ce4b16b22b58894aa86c421e8759df3

SHA1
13fbd79c3d390e5d6585a21e11ff5ec1970cff0c

SHA256
8254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a

SHA512
2af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCBDC.tmp

Filesize
2B

MD5
25bc6654798eb508fa0b6343212a74fe

SHA1
15d5e1d3b948fd5986aaff7d9419b5e52c75fc93

SHA256
8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc

SHA512
5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCBDC.tmp

Filesize
3B

MD5
4e27f2226785e9abbe046fc592668860

SHA1
28b18a7f383131df509f7191f946a32c5a2e410c

SHA256
01a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d

SHA512
2a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCBDC.tmp

Filesize
4B

MD5
cde63b34c142af0a38cbe83791c964f8

SHA1
ece2b194b486118b40ad12c1f0e9425dd0672424

SHA256
65e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d

SHA512
0559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCBDC.tmp

Filesize
8B

MD5
c3cb69218b85c3260387fb582cb518dd

SHA1
961c892ded09a4cbb5392097bb845ccba65902ad

SHA256
1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101

SHA512
2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCBDC.tmp

Filesize
27B

MD5
25f205f6839d0787565c29c38a66e75e

SHA1
a2fbad8a011fe9e90a71727905ab119dd3c39b0f

SHA256
e2b210499b723d06146d7e4b169a4ae664b9f157a7ce9fdf76f763acad5163b2

SHA512
24b55c8bc4a2a7cd3e4360e0bdbd9dfdb8c81a5cc8b8e8205916064ebbcb9e83ffb86e6d42dc1325c93539625b66540353180119469b31d2a01b6c7300e9e495

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCBDC.tmp

Filesize
56B

MD5
d5f1458e5d902ac7ad80c68d24774d42

SHA1
67ff9152ddb4dd68d86a15b36106e938466364c5

SHA256
7ca2dfdf8dc94f01a7b20ee482d7abc1a60c33b1787fe3c7e431dfb6f6717a01

SHA512
4532f426a42030df2a4cd3c9e61411b7a24918e1854af3a1b4b4b9d3199cdebebc42f8c7d1336319429c9208fc2235f0844cbf95b0335ac67d180609549f338c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyCB0D.tmp

Filesize
33B

MD5
5555876f2521b3ae2424dd9d6ce983aa

SHA1
5dd9296584980764dc0bebb55e721e6f9aacc86b

SHA256
0ca259e86b73dc8d2f375e3860b6bf91b78b3680b5b90c262fdd82432492a77a

SHA512
71992459867bdb629a697d2f1e750390983fd752fe46f3c753eb0671d8e7498850320145b5662c714229cfcad6f0a2fbffac4c5a6ff40c87a90701bfa69763dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyCB5D.tmp

Filesize
37B

MD5
19bb0d4e0dbbeec8ba11676faf173020

SHA1
803ec505ddf82c03af6de9ea9bc483d709f01b08

SHA256
9c719d5b57ba39eeac8bb3dc66e5e4116e6df0d13708c46dbb0df2a89b50467d

SHA512
5c10165a0160b4ae90ffb637971daa4086d6fbe2c4cb771050c6736ece6332cee843629ae2ce98139543e099cd439a730696e5c6c2fdbcca449ac9803a6e4df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyCB5D.tmp

Filesize
45B

MD5
34d32f9b446e46883ec3157794403748

SHA1
e797e81a28e395ea751871b21e638e43d62d0f61

SHA256
a66d886953526d5601da515e1aa53a3f8cbc829aedd557cdf4d0f9573793486e

SHA512
48b0f49ca3604f5a21cb2b850ac19771a17e0fa03cf0b3d6e616e330f136c71dcc623ac36b5b801c4fda203327290b8e3f5ec01a0ea546a87c2ae89a88b74ed1

Download Submit
\Users\Admin\AppData\Local\Temp\nsjCB4D.tmp\System.dll

Filesize
12KB

MD5
12b140583e3273ee1f65016becea58c4

SHA1
92df24d11797fefd2e1f8d29be9dfd67c56c1ada

SHA256
014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042

SHA512
49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a

Download Submit