Analysis

  • max time kernel
    94s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 07:22

General

  • Target

    f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe

  • Size

    1.1MB

  • MD5

    51b591af51c719fe45c77aefd310b748

  • SHA1

    8ba7fef83fbd129616b8e94e0c489c412bd70ae3

  • SHA256

    f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682

  • SHA512

    da1ed6e4cc287eb264abc43793c1a44df3abc56a94db81f9182f952468304993e97a8a50f46d37e253d1f44b8bfa073c931902161c5d4532c87b9a2300f8e080

  • SSDEEP

    24576:WfmMv6Ckr7Mny5Qti452VFcjvzjr0A0/1D6d:W3v+7/5Qtl52PEL/0A0/1D6d

Score
7/10

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe
    "C:\Users\Admin\AppData\Local\Temp\f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Users\Admin\AppData\Local\meshuggenah\subpredicate.exe
      "C:\Users\Admin\AppData\Local\Temp\f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4188
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682.exe"
        3⤵
          PID:3068
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 752
          3⤵
          • Program crash
          PID:2256
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4188 -ip 4188
      1⤵
        PID:2380

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\windigos

        Filesize

        204KB

        MD5

        6079a0802e91cb9f5da4e71139ff1e79

        SHA1

        89414da06acd2285aa91a604cab3f37a733f62e1

        SHA256

        af11511f747b4b2b353a22912449a2ab957dacf7e2854eec985a0a371c92503a

        SHA512

        c7a9cb8d1e326e1ddea3342561b83c7a8a90aa3ad99d2b91d3b8fcc307846d378559578d666ad288eea5211de5f833009adeba37197bd601f0de5965144fac2a

      • C:\Users\Admin\AppData\Local\meshuggenah\subpredicate.exe

        Filesize

        1.1MB

        MD5

        51b591af51c719fe45c77aefd310b748

        SHA1

        8ba7fef83fbd129616b8e94e0c489c412bd70ae3

        SHA256

        f88a8a2d76d4c0e6cd190fc96c22bca3e9e86c5040ab059dfff786710a9d4682

        SHA512

        da1ed6e4cc287eb264abc43793c1a44df3abc56a94db81f9182f952468304993e97a8a50f46d37e253d1f44b8bfa073c931902161c5d4532c87b9a2300f8e080

      • memory/1616-2-0x0000000004340000-0x0000000004740000-memory.dmp

        Filesize

        4.0MB

      • memory/4188-10-0x0000000003EA0000-0x00000000042A0000-memory.dmp

        Filesize

        4.0MB