bd083c422853ed2a6270fd7be75e3b7f95f128f1496546993c381ac4818f1e99

Analysis

max time kernel
92s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/11/2024, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ESTEEM ASTRO PARTICULARS.pdf.exe
Size

1.1MB
MD5

177433242c915815b6c13dc992a2e82b
SHA1

4ef6d9a9b024d0e43dbb797e90234e768299296c
SHA256

1de2fa3a2ecc25fc9b28f0e4ba4156a89d2b536c04bafc7b83014a6c5dc9dfaf
SHA512

bc0b3b8367ad592f652ba21d8e87899daebc5bdad3ebeddf72331d6ce5269e9df8a6bf81fb409b49325a4648d6f71b087a1f1a45292d63e3185e98fc90c19fc1
SSDEEP

24576:jtb20pkaCqT5TBWgNQ7aIdoXsVfcwhoyVKMQXH6A:gVg5tQ7aIachfhSH5

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2696	2288	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ESTEEM ASTRO PARTICULARS.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ESTEEM ASTRO PARTICULARS.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ESTEEM ASTRO PARTICULARS.pdf.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3660	ESTEEM ASTRO PARTICULARS.pdf.exe
4212	ESTEEM ASTRO PARTICULARS.pdf.exe
2288	ESTEEM ASTRO PARTICULARS.pdf.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 1780	3660	ESTEEM ASTRO PARTICULARS.pdf.exe	86
PID 3660 wrote to memory of 1780	3660	ESTEEM ASTRO PARTICULARS.pdf.exe	86
PID 3660 wrote to memory of 1780	3660	ESTEEM ASTRO PARTICULARS.pdf.exe	86
PID 3660 wrote to memory of 4212	3660	ESTEEM ASTRO PARTICULARS.pdf.exe	87
PID 3660 wrote to memory of 4212	3660	ESTEEM ASTRO PARTICULARS.pdf.exe	87
PID 3660 wrote to memory of 4212	3660	ESTEEM ASTRO PARTICULARS.pdf.exe	87
PID 4212 wrote to memory of 4952	4212	ESTEEM ASTRO PARTICULARS.pdf.exe	90
PID 4212 wrote to memory of 4952	4212	ESTEEM ASTRO PARTICULARS.pdf.exe	90
PID 4212 wrote to memory of 4952	4212	ESTEEM ASTRO PARTICULARS.pdf.exe	90
PID 4212 wrote to memory of 2288	4212	ESTEEM ASTRO PARTICULARS.pdf.exe	91
PID 4212 wrote to memory of 2288	4212	ESTEEM ASTRO PARTICULARS.pdf.exe	91
PID 4212 wrote to memory of 2288	4212	ESTEEM ASTRO PARTICULARS.pdf.exe	91
PID 2288 wrote to memory of 3048	2288	ESTEEM ASTRO PARTICULARS.pdf.exe	94
PID 2288 wrote to memory of 3048	2288	ESTEEM ASTRO PARTICULARS.pdf.exe	94
PID 2288 wrote to memory of 3048	2288	ESTEEM ASTRO PARTICULARS.pdf.exe	94

C:\Users\Admin\AppData\Local\Temp\ESTEEM ASTRO PARTICULARS.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\ESTEEM ASTRO PARTICULARS.pdf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\ESTEEM ASTRO PARTICULARS.pdf.exe"
  2⤵
  PID:1780
- C:\Users\Admin\AppData\Local\Temp\ESTEEM ASTRO PARTICULARS.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\ESTEEM ASTRO PARTICULARS.pdf.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\ESTEEM ASTRO PARTICULARS.pdf.exe"
    3⤵
    PID:4952
- - C:\Users\Admin\AppData\Local\Temp\ESTEEM ASTRO PARTICULARS.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\ESTEEM ASTRO PARTICULARS.pdf.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\ESTEEM ASTRO PARTICULARS.pdf.exe"
      4⤵
      PID:3048
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 640
      4⤵
      Program crash
      PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2288 -ip 2288
1⤵
PID:3284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autB40E.tmp

Filesize
261KB

MD5
37c8359babb5211ca2026d38a5de9d08

SHA1
286adc5945eb69075f150a2c01d7c0e36d328dac

SHA256
5cad2ca441900ae49aaa98725d963993bec2389af749265bc804011d57aeb8fb

SHA512
1521e3ff9845061b9b7076ee3a32ff1a0b900abcb17b1d2d3d8a798473c70cde0208255f566378dc2b88d606fe40a7c58ceb931cb81a068792779e44482605d6

Download Submit
memory/2288-28-0x00000000010A0000-0x00000000014A0000-memory.dmp

Filesize
4.0MB

Download
memory/3660-8-0x0000000000FE0000-0x00000000013E0000-memory.dmp

Filesize
4.0MB

Download
memory/4212-18-0x0000000000870000-0x0000000000C70000-memory.dmp

Filesize
4.0MB

Download