eb7c12418a94021b58bdf44cd672076858c537a17552ffd28a34a721097c46b6

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb7c12418a94021b58bdf44cd672076858c537a17552ffd28a34a721097c46b6.exe
Size

430KB
MD5

673e77da85c204fd86709475f54dc6b3
SHA1

da68a4e5fc62eb5ca2f3394f22d288db7fe5485b
SHA256

eb7c12418a94021b58bdf44cd672076858c537a17552ffd28a34a721097c46b6
SHA512

6c77602d20db530923e6369a9c9b8ddc86c0dd93198cc7d7538fa6ffda08458952e790b497c056acb0f6df678c4b620841ea0446ff2e219fff598a4b477ea890
SSDEEP

6144:hBlL/+lrHomkbgytaFTAGGW56pXrT6DpFpK7ULtVjHIvDp2IWyxRKQXPn03fmoGJ:nNbrGAGGy6pXAhqYA8IhPOfmoGJ

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

eb7c12418a94021b58bdf44cd672076858c537a17552ffd28a34a721097c46b6.exe

pid process

4264 eb7c12418a94021b58bdf44cd672076858c537a17552ffd28a34a721097c46b6.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4564 4264 WerFault.exe eb7c12418a94021b58bdf44cd672076858c537a17552ffd28a34a721097c46b6.exe

pid	process
4264	eb7c12418a94021b58bdf44cd672076858c537a17552ffd28a34a721097c46b6.exe

pid	pid_target	process	target process
4564	4264	WerFault.exe	eb7c12418a94021b58bdf44cd672076858c537a17552ffd28a34a721097c46b6.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

eb7c12418a94021b58bdf44cd672076858c537a17552ffd28a34a721097c46b6.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb7c12418a94021b58bdf44cd672076858c537a17552ffd28a34a721097c46b6.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

eb7c12418a94021b58bdf44cd672076858c537a17552ffd28a34a721097c46b6.exe

description	pid	process	target process
PID 4264 wrote to memory of 2216	4264	eb7c12418a94021b58bdf44cd672076858c537a17552ffd28a34a721097c46b6.exe	eb7c12418a94021b58bdf44cd672076858c537a17552ffd28a34a721097c46b6.exe
PID 4264 wrote to memory of 2216	4264	eb7c12418a94021b58bdf44cd672076858c537a17552ffd28a34a721097c46b6.exe	eb7c12418a94021b58bdf44cd672076858c537a17552ffd28a34a721097c46b6.exe
PID 4264 wrote to memory of 2216	4264	eb7c12418a94021b58bdf44cd672076858c537a17552ffd28a34a721097c46b6.exe	eb7c12418a94021b58bdf44cd672076858c537a17552ffd28a34a721097c46b6.exe

C:\Users\Admin\AppData\Local\Temp\eb7c12418a94021b58bdf44cd672076858c537a17552ffd28a34a721097c46b6.exe
"C:\Users\Admin\AppData\Local\Temp\eb7c12418a94021b58bdf44cd672076858c537a17552ffd28a34a721097c46b6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Users\Admin\AppData\Local\Temp\eb7c12418a94021b58bdf44cd672076858c537a17552ffd28a34a721097c46b6.exe
  "C:\Users\Admin\AppData\Local\Temp\eb7c12418a94021b58bdf44cd672076858c537a17552ffd28a34a721097c46b6.exe"
  2⤵
  PID:2216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 972
  2⤵
  - Program crash
  PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4264 -ip 4264
1⤵
PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nss72EF.tmp\woskyvpzx.dll

Filesize
19KB

MD5
dd4ff4b24f8b39951e3946a5282b7ed0

SHA1
d4d1015d01326ba4526fcff52e4c9bbb271d951e

SHA256
f880d09a6f9bc64f974844f92fa9bb764dc2613342fde134d8c037a2267506bc

SHA512
6e822b523f15948a42b1d2703525c8f3744fbb6a7e3aff99345908822fbd65dafe38d6972976211f9558c712d65be1c1a42bb9dabb63fb4576c409ce95e93528

Download Submit
memory/4264-8-0x0000000010005000-0x0000000010007000-memory.dmp

Filesize
8KB

Download