43666a3d1bf6ba3d3e59e930c6ce5e14d744ab39a2781ceb88daacf6a74ad9b6

Analysis

max time kernel
93s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5093699e2b2728073ebfe205b1e27778235dcf9aff5b7d25ad38f23aea9ec50c.exe
Size

242KB
MD5

5458ee05655d3e4a69fd7c319c7324bf
SHA1

97ece65057682bfadba8b71284f42a5503fa66e7
SHA256

5093699e2b2728073ebfe205b1e27778235dcf9aff5b7d25ad38f23aea9ec50c
SHA512

770c7cf6ca443f913d8621db56447ac56abe137c0c5cdb7c77feaf024e6f6bc98a908d5e9bc425214961a252666f3a3fd4991c8dbb8b8af65378ad58b9d107c1
SSDEEP

6144:HNeZmAqvt7GQyo4Opdjv/Ml4TVS+8+1vcTjO+M:HNlNl7Gv0nMlWNh1vcPzM

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3540	seuxwbcie.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
628	3540	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5093699e2b2728073ebfe205b1e27778235dcf9aff5b7d25ad38f23aea9ec50c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	seuxwbcie.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 3540	3016	5093699e2b2728073ebfe205b1e27778235dcf9aff5b7d25ad38f23aea9ec50c.exe	83
PID 3016 wrote to memory of 3540	3016	5093699e2b2728073ebfe205b1e27778235dcf9aff5b7d25ad38f23aea9ec50c.exe	83
PID 3016 wrote to memory of 3540	3016	5093699e2b2728073ebfe205b1e27778235dcf9aff5b7d25ad38f23aea9ec50c.exe	83
PID 3540 wrote to memory of 2328	3540	seuxwbcie.exe	84
PID 3540 wrote to memory of 2328	3540	seuxwbcie.exe	84
PID 3540 wrote to memory of 2328	3540	seuxwbcie.exe	84

C:\Users\Admin\AppData\Local\Temp\5093699e2b2728073ebfe205b1e27778235dcf9aff5b7d25ad38f23aea9ec50c.exe
"C:\Users\Admin\AppData\Local\Temp\5093699e2b2728073ebfe205b1e27778235dcf9aff5b7d25ad38f23aea9ec50c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\seuxwbcie.exe
  C:\Users\Admin\AppData\Local\Temp\seuxwbcie.exe C:\Users\Admin\AppData\Local\Temp\ftufltq
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Users\Admin\AppData\Local\Temp\seuxwbcie.exe
    C:\Users\Admin\AppData\Local\Temp\seuxwbcie.exe C:\Users\Admin\AppData\Local\Temp\ftufltq
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 544
    3⤵
    - Program crash
    PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3540 -ip 3540
1⤵
PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4th7ia948nr

Filesize
213KB

MD5
e4467ca5cb5c461ddd7b346bc354d987

SHA1
8fb54c8955bf390eb192c8c7d26defcd673cf12a

SHA256
f865b3cd97a06023b5223cf09fa9d96e4ddac420a94ebd896283c44519cc67e9

SHA512
d1045176ad555fa7d8ad7e790b3c507cbdecc507efef276a34bd54d6fe52fc356f55fbd3a1dd0be25c77b6f40ab3e75637384c71587d98403de61bf39ad3d4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftufltq

Filesize
4KB

MD5
74c5e9bd4b4a2b4893142993e7e5081b

SHA1
1f8366b183fe62f87f69aa776ec31765270cfad8

SHA256
b1d56d21881bfcb60b382ee61976e649aa9579059a167ccc3ef3808d744d395d

SHA512
c4d87d1bf07b5d1d45747f0e813c612f12affca2d34426c84adac372264d45c2d20707997377204c8419e9f6fcb72128fed2a0328b1041639af1efd7efcc9790

Download Submit
C:\Users\Admin\AppData\Local\Temp\seuxwbcie.exe

Filesize
4KB

MD5
a76d9b231af273f403da413af9b6fe1d

SHA1
30c52ca472a94e2b9535468a84e19ba790472590

SHA256
86c1a081301f284a88a5e5e6004f4de35c01550119b159ba2fa43b144958e1b6

SHA512
25f41ebb2226a3b4e1f06d653345a1252d20a8fade7b6c2e474174cbcc6c071077ef849286fa23565d78f0cf55b9a5bd24c2df91916f1c49ec5aa090192a5aa9

Download Submit
memory/3540-8-0x0000000000560000-0x0000000000562000-memory.dmp

Filesize
8KB

Download