0a13919e13243f98194b8fe1cbab30eaf536053a9083bef5703e1c3f142dad4c

Analysis

max time kernel
17s
max time network
23s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a13919e13243f98194b8fe1cbab30eaf536053a9083bef5703e1c3f142dad4c.exe
Size

192KB
MD5

f68b64ce5d84e8ff5b7605c53eb6e51c
SHA1

9442b7074064e3f34373308ced3381ef62337cc0
SHA256

0a13919e13243f98194b8fe1cbab30eaf536053a9083bef5703e1c3f142dad4c
SHA512

2058f49fafc70c884f6d3fc9f47edf50e9dd6c6d8de8c402de7e75dbda308939688738083f6435366cdadced02cb06b664d4b85d02654ecac6894daaa51b2a52
SSDEEP

3072:Hr7OolQG5tuUhJjd5iiWv76fNAiJAtPwboxN4j+Aglv1Cq6Q:HrCo5wUhP5pWv7NddGglv1Cqf

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Unicorn-61454.exe

pid process

2568 Unicorn-61454.exe

pid	process
2568	Unicorn-61454.exe

Loads dropped DLL 7 IoCs

Processes:

0a13919e13243f98194b8fe1cbab30eaf536053a9083bef5703e1c3f142dad4c.exeWerFault.exe

pid	process
2440	0a13919e13243f98194b8fe1cbab30eaf536053a9083bef5703e1c3f142dad4c.exe
2440	0a13919e13243f98194b8fe1cbab30eaf536053a9083bef5703e1c3f142dad4c.exe
2448	WerFault.exe
2448	WerFault.exe
2448	WerFault.exe
2448	WerFault.exe
2448	WerFault.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2448 2568 WerFault.exe Unicorn-61454.exe

pid	pid_target	process	target process
2448	2568	WerFault.exe	Unicorn-61454.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0a13919e13243f98194b8fe1cbab30eaf536053a9083bef5703e1c3f142dad4c.exeUnicorn-61454.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a13919e13243f98194b8fe1cbab30eaf536053a9083bef5703e1c3f142dad4c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-61454.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

0a13919e13243f98194b8fe1cbab30eaf536053a9083bef5703e1c3f142dad4c.exeUnicorn-61454.exe

pid process

2440 0a13919e13243f98194b8fe1cbab30eaf536053a9083bef5703e1c3f142dad4c.exe
2568 Unicorn-61454.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0a13919e13243f98194b8fe1cbab30eaf536053a9083bef5703e1c3f142dad4c.exeUnicorn-61454.exe

description	pid	process	target process
PID 2440 wrote to memory of 2568	2440	0a13919e13243f98194b8fe1cbab30eaf536053a9083bef5703e1c3f142dad4c.exe	Unicorn-61454.exe
PID 2440 wrote to memory of 2568	2440	0a13919e13243f98194b8fe1cbab30eaf536053a9083bef5703e1c3f142dad4c.exe	Unicorn-61454.exe
PID 2440 wrote to memory of 2568	2440	0a13919e13243f98194b8fe1cbab30eaf536053a9083bef5703e1c3f142dad4c.exe	Unicorn-61454.exe
PID 2440 wrote to memory of 2568	2440	0a13919e13243f98194b8fe1cbab30eaf536053a9083bef5703e1c3f142dad4c.exe	Unicorn-61454.exe
PID 2568 wrote to memory of 2448	2568	Unicorn-61454.exe	WerFault.exe
PID 2568 wrote to memory of 2448	2568	Unicorn-61454.exe	WerFault.exe
PID 2568 wrote to memory of 2448	2568	Unicorn-61454.exe	WerFault.exe
PID 2568 wrote to memory of 2448	2568	Unicorn-61454.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\0a13919e13243f98194b8fe1cbab30eaf536053a9083bef5703e1c3f142dad4c.exe
"C:\Users\Admin\AppData\Local\Temp\0a13919e13243f98194b8fe1cbab30eaf536053a9083bef5703e1c3f142dad4c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\Unicorn-61454.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-61454.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 200
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Unicorn-61454.exe

Filesize
192KB

MD5
e50d46223d091206c9db0f18bf6690b5

SHA1
8c813acae65ca163cdd0741fbaa3b8791cb2b438

SHA256
21c5e54c4af502b00cebd35e38411efa923dad0421560aeb59461ba4c3182b28

SHA512
3a8b50811b45df8af4b5f69ea5c8f0d5ae561a33c63d1f8ed61d364bfeace9995fd6d9dd0d1593781eb86bfe8f740009533bafbbe0d47507f19c49c89a30c046

Download Submit