a754c8899bf9ffc378d8fe239a58b0154bd9fc7cf8b2f2fdc1b1103885a70c99

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/11/2024, 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a754c8899bf9ffc378d8fe239a58b0154bd9fc7cf8b2f2fdc1b1103885a70c99.exe
Size

699KB
MD5

63d2f97a6de92084873293a617e685db
SHA1

423997f0830a1f833d7c1e6b615ac84850b298a1
SHA256

a754c8899bf9ffc378d8fe239a58b0154bd9fc7cf8b2f2fdc1b1103885a70c99
SHA512

2954eb36e39cbfa18c024dae9536d42b4f2eecf16bf3db623e0efc3f1a7ba02f9df4a1831abb4315b03b83c7497278b10f8001ea484cc31da8352f265f214743
SSDEEP

12288:E3cAEjow+kXtp28J4cGUhl+n0kbd6t21Rwm3+9rtQEFoxB50+tNADhZebeEkO/:E3cAEjow+kXf28J4cGeAn0Ttzm3EruEa

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2420	a754c8899bf9ffc378d8fe239a58b0154bd9fc7cf8b2f2fdc1b1103885a70c99.exe
2420	a754c8899bf9ffc378d8fe239a58b0154bd9fc7cf8b2f2fdc1b1103885a70c99.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2460	2420	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a754c8899bf9ffc378d8fe239a58b0154bd9fc7cf8b2f2fdc1b1103885a70c99.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2460	2420	a754c8899bf9ffc378d8fe239a58b0154bd9fc7cf8b2f2fdc1b1103885a70c99.exe	30
PID 2420 wrote to memory of 2460	2420	a754c8899bf9ffc378d8fe239a58b0154bd9fc7cf8b2f2fdc1b1103885a70c99.exe	30
PID 2420 wrote to memory of 2460	2420	a754c8899bf9ffc378d8fe239a58b0154bd9fc7cf8b2f2fdc1b1103885a70c99.exe	30
PID 2420 wrote to memory of 2460	2420	a754c8899bf9ffc378d8fe239a58b0154bd9fc7cf8b2f2fdc1b1103885a70c99.exe	30

C:\Users\Admin\AppData\Local\Temp\a754c8899bf9ffc378d8fe239a58b0154bd9fc7cf8b2f2fdc1b1103885a70c99.exe
"C:\Users\Admin\AppData\Local\Temp\a754c8899bf9ffc378d8fe239a58b0154bd9fc7cf8b2f2fdc1b1103885a70c99.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 528
  2⤵
  - Program crash
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsdAFC0.tmp

Filesize
27B

MD5
b93641813851b1ad166b8163e5aeddc9

SHA1
642d989ceea62bcfd70fb74f3c62ade0c1c41d78

SHA256
1628c6bee5afc85044309f45e34190bc9ce8bd9516e30792460e14362657d42d

SHA512
eee31a0d51df3a7ba35ab4025f8d458c4d12b6f46412982ad34aef31d9e83c7070056a07777ed4b62fb3b92b376b618099374901ffe4f988fe0f853a0e57c8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdAFC0.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdB011.tmp

Filesize
40B

MD5
a81b450639aec72b1edb0b885417b0b1

SHA1
8950d0b009ac7e1f785051f4300ff1790f16a833

SHA256
4f4e2fc88d3dcebdfe1cea5d9f6a799a21fac8ea9ed5698f9e31232dce6495ab

SHA512
a7361ddaa304415e1e47b199b5d7b1f2e2ba4af239bc61ee066e92c67bb1a2b27bdd7f351a74f6633eee38bfab2766734fec634a320948fd710e041369c45dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdB011.tmp

Filesize
60B

MD5
94d50858f536d0b073217deb807d181a

SHA1
deaaf25f8ec263928644fceb69dcb199a06cf8e7

SHA256
2e191ac2589e939929565cf8bd27d1caa964a008e0e3601d3aa868232881439d

SHA512
f7ff9d549378b002cb9abe8c2cc826d3df1ff15f66bcf06ef0c0c55ecf70560e0c0b7951cefd8c94a7687fd38ca8b6c19668074772f1aac5e8a42bebbd6c2534

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB032.tmp

Filesize
56B

MD5
d5f1458e5d902ac7ad80c68d24774d42

SHA1
67ff9152ddb4dd68d86a15b36106e938466364c5

SHA256
7ca2dfdf8dc94f01a7b20ee482d7abc1a60c33b1787fe3c7e431dfb6f6717a01

SHA512
4532f426a42030df2a4cd3c9e61411b7a24918e1854af3a1b4b4b9d3199cdebebc42f8c7d1336319429c9208fc2235f0844cbf95b0335ac67d180609549f338c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB0CF.tmp

Filesize
27B

MD5
4957153fabb445fb18c9ebc9c311f34d

SHA1
d12d7a2c8a4b61bae681b19b9a07a06a0d0d4632

SHA256
fbaa92d310219f370662dbcb3d8023c007b4786d0bf979228690d4df2cf89c91

SHA512
4c0ee80abbe5748e3b794982585dc819c57f59429ef47ab628a801d05752daea92e7ef97088556b5411a49e8724157ee748a0e40c3efc0962927783fc1a44cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyAFF1.tmp

Filesize
22B

MD5
b047816b08c4d8bfc15d92a76b02f032

SHA1
524d75ebcb25c312f94331dfe9d912d64bed2cdd

SHA256
b1cf0c961cc0706922ed4e40300fbde987d521b47a778d61ad809684b5a16a35

SHA512
d808dd3603318dd503e81dc25be9f03f7623dc2dc812b6955992bcb079071542e655fad2a45343a0a453a97b044f820b090f4cbc6015b6f4b988106bc6aeb757

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyAFF1.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
\Users\Admin\AppData\Local\Temp\nsjAFE1.tmp\System.dll

Filesize
12KB

MD5
12b140583e3273ee1f65016becea58c4

SHA1
92df24d11797fefd2e1f8d29be9dfd67c56c1ada

SHA256
014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042

SHA512
49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a

Download Submit