1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe
Size

9.4MB
MD5

4a38f10d7e0a0a64bd1bdbd2b4828ac0
SHA1

d9a7a264e503b7ccc05a6db30c116568a124c6e4
SHA256

1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4
SHA512

13da9f3a61a5a4f5934ec5925ea203a3b6b51cef6b75c031f3526e04b39d829c2811f40a9a83669089576e479e966ed219f9b0d93aa5c002815c2038e80d1b57
SSDEEP

196608:+L7kXY+H6QTLMMiUs5n7W99q7riZINE5MLXthfMcR5u7JhepRsBVximgEyVFAcm4:+sXY+XJClW7KrSINEI0468

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 16 IoCs

Processes:

1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe

pid	process
3700	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe
3700	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe
3700	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe
3700	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe
3700	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe
3700	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe
3700	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe
3700	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe
3700	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe
3700	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe
3700	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe
3700	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe
3700	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe
3700	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe
3700	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe
3700	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3436 3700 WerFault.exe 1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe

pid	pid_target	process	target process
3436	3700	WerFault.exe	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe

description pid process

Token: 35 3700 1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe

description	pid	process
Token: 35	3700	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe

description	pid	process	target process
PID 3028 wrote to memory of 3700	3028	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe
PID 3028 wrote to memory of 3700	3028	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe
PID 3028 wrote to memory of 3700	3028	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe	1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe

C:\Users\Admin\AppData\Local\Temp\1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe
"C:\Users\Admin\AppData\Local\Temp\1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe
  "C:\Users\Admin\AppData\Local\Temp\1ddc21f2de2ac96155228d9a5d6ed087f1376211fa058aa4d6cafa4142dc92b4.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 628
    3⤵
    - Program crash
    PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3700 -ip 3700
1⤵
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI30282\VCRUNTIME140.dll

Filesize
81KB

MD5
55c8e69dab59e56951d31350d7a94011

SHA1
b6af2d245ae4d67c38eb1cd31e0c1cffb29b9b2c

SHA256
9d8d21022ff9d3f6b81a45209662a4f3481edc2befae0c73b83cf942eab8be25

SHA512
efb2ac1891724df16268480628eb230b6ee37ed47b56d2e02a260559865cdd48ee340ce445e58f625e0f4d6dbdc5bfb7ce2eeedf564b837cff255ef7d1dc58cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30282\_cffi_backend.cp37-win32.pyd

Filesize
152KB

MD5
0c6f3ae411e82b37ab4d6fbc22a3ef7c

SHA1
8ac797b5a703a1f10ec10e1ecc8c04d6aaebcafd

SHA256
33a5ab6c627527887b82058c4dbfbfd5d88bbf187302e73aa3169b81e12cba40

SHA512
48385d18cc1ef13a9b68c3e9450d1980f0bd9ef466c44c94350e418f7daea86f97e60ab5de8a43d2efc34ab49c47cbe87c6ef35679473528a1840e940e3cdad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30282\_hashlib.pyd

Filesize
24KB

MD5
a9918e714e28a0d4a167c4a73f554d81

SHA1
69a4fef9eb1e3bc779bece2ab946e2604dad419a

SHA256
661aa7ab2cd173b112fef560a3bf63a87c906c8b184cb261632c5a32c6c25185

SHA512
2d295fb57021f1cb9cdf15aaabbaf6a7393f918f675c3bfea58a2205ba948ce15a787254008ba7b146eb55474b24e772b2886fee4e3f98a68011df54ff5d4408

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30282\_queue.pyd

Filesize
16KB

MD5
0c637a3df9380c487613bca1c6c9f741

SHA1
f958597c6503599964e26d8df7d4804bb3993c0e

SHA256
9774e28ffca8b222f32afca5a34bfefb01e53188630be7cffcf615b3a068b0c1

SHA512
e0e5f3814d6942e96fb21cc3ea42b523cfafcf3c32b9ffa1a8a05631c85b45226a7523546cd13a22998e71498ae6e1c051d84f6335391cc80990702d4780188d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30282\_socket.pyd

Filesize
57KB

MD5
2e407bb1a3a58191c0f68c1ec3cd5b36

SHA1
bb5998b7113dcb2b2229a8c6e35ddb6b09ddbf91

SHA256
2ba14eda8ac2189ee7c0b136f653030c5078deaf3a792ee47e9b9a4b859a0675

SHA512
47d4bdc956916c0444984a42dce9713cefb06053eea24010721f41b3a5ec2b8e15c16a80531a84ee12067b7283d332356ca69cd6b9c51a07d7ce3ee139869fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30282\_sqlite3.pyd

Filesize
60KB

MD5
f1218553c9cac6b919bc02fb1797bf13

SHA1
86fda1e8e284aebdb8759b8f969cedf5ae8358e4

SHA256
c219f1422e72e14e821fe15acea9593cfa05dfe20ba177085784d858df3895ef

SHA512
5799823767d0d72dca0ee970f32c60b6a7c5a9a19a20c19371e8832eb984124b1824cb340bcf04082508ed60fa1e74f026e5ee88928bb2e0392fb2ce30cc68f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30282\base_library.zip

Filesize
760KB

MD5
fd5fe899ed57da817989475a9fa80b17

SHA1
c0a99e0b7c9c182384d38905193182355a65a053

SHA256
f3a57a4a006a3e6b9b335d1593f39f9dacdb61fc46d0c5e416dd10bf41e6c663

SHA512
3460cd47a3ff27b433a122a302afbd535918ba528ab8e24b71a3b25f118b5c67d4a2f83710f89c1c7f04543d6684fe0ad23ddb64a2c7ffe19ac8244f1d25ab49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30282\cryptography\hazmat\bindings\_openssl.pyd

Filesize
2.8MB

MD5
2e94d89f4bc1a67e750d6f0805c21b40

SHA1
758c4921e4aed1053d5e970fc3e42123abcdb6c6

SHA256
5c9ca3556e7fb2cfd85e8994c6aa19ccbdb57247d39183c542beade9658dff1d

SHA512
ed7fd7fc08a53ed54c8750bcce8e8d5bd76029b4fbc78eec4779776b6c5ef955631547e83a9c6bcfd59d830ba05b4fc85ac18146566f29c85725384298e304b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30282\cryptography\hazmat\bindings\_rust.pyd

Filesize
1.3MB

MD5
656648dec6c8869cd06ce78f925d2ef0

SHA1
eff515fdebee02707c48f785938d7714588f050e

SHA256
85d4d4359fe3a74b04d9c6faebe95a37a9327a5101b0d8b2a394b23362914c6a

SHA512
995527a74a0fbe1ffd8c16c598c203b64af3bfaf99c1d99428d8cf7aa08246c5c8001bdced892dd64ae35f64536612cbfe2db32fa953ae1b52abcfc97b8aeaa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30282\libcrypto-1_1.dll

Filesize
2.4MB

MD5
c5683ecbe1584f225b666a54c95ce73f

SHA1
014430aabc070c583441aa121291f9bb06dae670

SHA256
0054ced974ae447c3d6e9ca312feb8a0a5dcca81dd92e940d3d8276add3e2f00

SHA512
f46472ba5276a0d6c5826d158e24224e2c2de285807999cf90d3793f6c8a103de9f412de9cefa56b24a18ef3996cc695ba437d8957b87bfd0ee7e7810909cdbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30282\python3.dll

Filesize
50KB

MD5
d099405b08a79927f08ab28246810866

SHA1
1af78315a6cf2d1fdc6555b568118c174658d104

SHA256
b51c88ac791ed574edfb2e346095fbc296a2c36250c2bffdd28bb424d8135ae7

SHA512
7874b354792d2244d1484367ef6a6ab09d620d431c812f206c4c976b81433d6c4f17d14d1f642622271c15931f190e3aa9042245873faa51d36705aad578562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30282\python37.dll

Filesize
2.9MB

MD5
286dd0bde2b853a611e7e193a28d411d

SHA1
460eb1717bff4e358cbf10d73b779f475a36e11d

SHA256
5a2547ffc53680bca395e61714e36f35f25ddd7099e1e7ee0bda04865e9012b6

SHA512
f900c830592ff64145bde86ed7331bf6655a6ed12b55bdedf7666e5d96bf53865637ae08e62541b06211952887db0d229c47e30447ac3f9567d31c3f3730a2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30282\pywintypes37.dll

Filesize
115KB

MD5
77719818e673e7fa6e1c570859530fb7

SHA1
5f4d3ee11c55f561924c9a3261fb7b5067b2e2c4

SHA256
15744c8a510b30c7574d4a687ab42e934b9dbc43ba64fa0ed0d6b4e4a68dc81d

SHA512
85a58f98c5759eadc37f4c606a1b717c3618bfd46113361805f2b893e0146399bb3ddd112f2ec7da029f9ba5e2e23ba604f775497db40209547e7f99eb7fe71f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30282\select.pyd

Filesize
16KB

MD5
1997b89ddd2df6c3b4fcf6f05ab15aab

SHA1
cde9100e69cfa8020328db4c56824dbcdab3e9f1

SHA256
f94e54d25ba8c9c41ee2496a1887df215b7ca5b4f8ee47aa7db98168a2498b60

SHA512
3110dac4d9430dddda868e54eb6de1865e88e4e5a912fc4d267eee1f84712aa7103c71119a2cc43f7eb15287073725e69d7e7f102a32936fdb85530521eedd2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30282\sqlite3.dll

Filesize
1.1MB

MD5
d2611a4ecb84a924b53e6175e81dd923

SHA1
3d7dd01e3f7e851a689a2180cf0df7c1a230e3f7

SHA256
d2e2270be83e25a1895407cf087b5dbfdf1c82478dc19d7e4e6ac00060a2e121

SHA512
78cff3a5905e64ee162806e63c229593cd332e47bcf0044c9a8aed9b92d3bc11d6c90673ebdd0c6764d7c4db9455a6c7eeea241c062c70e302b81afcd1eae6e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30282\ucrtbase.dll

Filesize
1.1MB

MD5
6343ff7874ba03f78bb0dfe20b45f817

SHA1
82221a9ac1c1b8006f3f5e8539e74e3308f10bcb

SHA256
6f8f05993b8a25cadf5e301e58194c4d23402e467229b12e40956e4f128588b3

SHA512
63c3d3207577d4761103daf3f9901dd0a0ae8a89694ad1128fd7e054627cdd930d1020049317c5a898411735e2f75e2103ae303e7e514b6387a3c8463a4fb994

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30282\win32crypt.pyd

Filesize
105KB

MD5
8922e3edd7e8a956d5992f1b23b13926

SHA1
c98507e702395abba0add66e23461edef18c8a9e

SHA256
b4acd9df9ee1ad1df6ea247695bf980d3d60e2ce4a8b163101f4dfb2530eb097

SHA512
724ba6ff0b1ecae8cf44d86568ac5fce7d3318dd50a5e164af964ba20fb0338ad2f7b6e44b4438ebaafb4e988a91c9fe88aee91aae234019f81d0434cac2f381

Download Submit