4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/11/2024, 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe
Size

714KB
MD5

a03dcb82d6ecaab34cc6ae971a806c06
SHA1

3bf367387ad278b154bd2af42e7bedf0f8676f6c
SHA256

4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d
SHA512

a11a2c0e59cd229d6d8de8edb4322ca434e5931ef94bb1cf4c5435e891125ca8c0518a675277c36936ff47e71eab7954ce17aaa36abb0109cbf84087e9652352
SSDEEP

12288:E3cAEjowqtlkCSN+RgfcWNQDw9HSAcQ4A5uKrQrxco0+tNADhZebeEkOP:E3cAEjowDCC+R7ab9HSzJWoV07fDW

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2504	4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe
2504	4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2260	2504	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2260	2504	4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe	30
PID 2504 wrote to memory of 2260	2504	4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe	30
PID 2504 wrote to memory of 2260	2504	4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe	30
PID 2504 wrote to memory of 2260	2504	4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe	30

C:\Users\Admin\AppData\Local\Temp\4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe
"C:\Users\Admin\AppData\Local\Temp\4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 528
  2⤵
  - Program crash
  PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsdA3DE.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjA400.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoA421.tmp

Filesize
56B

MD5
5974087856e59ba1b1d228e39d15591a

SHA1
43555cd275094990a54289fca083e1f9e14ab8c7

SHA256
9d118dc7d563043a8ec352f7112af2eac3ebffd11258e4924533ff4fd00bb771

SHA512
876d36cb1b3a22cd0686d04fd0830b7c15b67c4003d9c2cd67496d3f726b72544e64f9cd94bcd951c8eba9e74cb1e2aaa0638552fd82bc5bdb547a6e28950082

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstA441.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA410.tmp

Filesize
60B

MD5
953ec092c39a753076f7ba3888679925

SHA1
a658db8c80e2175c08e026d20ae06dacdfc7e100

SHA256
46d1e26793406453e0df203bbbf7a964247e33dc6c5a9d842a41acee70755e9d

SHA512
ea1730869e58239fd68489649305d5324dac06ecc00b4f19bd4dc4c4138865f7a5948307fa33b6e69136b20b4d934e2ec01b8a7cd75f056e09fe738f0ca27c39

Download Submit
\Users\Admin\AppData\Local\Temp\nstA3EF.tmp\System.dll

Filesize
12KB

MD5
12b140583e3273ee1f65016becea58c4

SHA1
92df24d11797fefd2e1f8d29be9dfd67c56c1ada

SHA256
014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042

SHA512
49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a

Download Submit