76fa28512d1877143b820dd3b97b309190733fd06648927869a8e68022947139

Analysis

max time kernel
99s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order-940211730-pdf.exe
Size

316KB
MD5

48f5cf7cce8a7c481bd42065f64cda06
SHA1

573b9f300a295e80c5d61f676b3cb847db5c9a17
SHA256

8469a2a0268409d60d0d78dec451e520796106f8920dd4476e8fac728d0cc9b9
SHA512

a56bf21244448ffc0bdfb72e047ab8c2eccab9fc1f56c3afcf1d5bbc11390b711fac8b826ec297d716ebdf779013a91c390d7587e0efa9473fb25c37346502ac
SSDEEP

6144:owzgftmXE/z/dijeNOetfxvsgPzIFXrIN1QXghMoMhkC:ofFrrNJfxvPPzIFMN1QXghMoMhkC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4596	kmnjg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2896	4596	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Order-940211730-pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kmnjg.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 4596	4232	Order-940211730-pdf.exe	82
PID 4232 wrote to memory of 4596	4232	Order-940211730-pdf.exe	82
PID 4232 wrote to memory of 4596	4232	Order-940211730-pdf.exe	82
PID 4596 wrote to memory of 2012	4596	kmnjg.exe	84
PID 4596 wrote to memory of 2012	4596	kmnjg.exe	84
PID 4596 wrote to memory of 2012	4596	kmnjg.exe	84

C:\Users\Admin\AppData\Local\Temp\Order-940211730-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Order-940211730-pdf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Users\Admin\AppData\Local\Temp\kmnjg.exe
  C:\Users\Admin\AppData\Local\Temp\kmnjg.exe C:\Users\Admin\AppData\Local\Temp\bodyzweapn
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Users\Admin\AppData\Local\Temp\kmnjg.exe
    C:\Users\Admin\AppData\Local\Temp\kmnjg.exe C:\Users\Admin\AppData\Local\Temp\bodyzweapn
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 584
    3⤵
    - Program crash
    PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4596 -ip 4596
1⤵
PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bodyzweapn

Filesize
5KB

MD5
d161975bcaf7cfd3de8dc4a37653c1d5

SHA1
b5e61fb06c2fb114430d63f8cad1927d77993da0

SHA256
c5c71f13e5bc6fbbb15b0660a962bd34d63f6cbcff17530bc48a9ab8cfa42a88

SHA512
e89f413acf9e83bee249fdd3dd32ce6eae7bb9cb1889c65b7998bc432f966cc7d1d4e873403326dccdbdb4689e63abc8a4fbdc10a771ec8277783c73ae16660a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrvch4heo1xaa

Filesize
211KB

MD5
3f9f5918baeecd565f401ab5af3b2d08

SHA1
b62677d128241fa345cf44979294f55a7fcfde8c

SHA256
c8b0d215336ad28fa42bb569e63f809c5006366d0a9030b7cb3399af6104003d

SHA512
83043b15c08899334fb03b57c53761ab82120034a85e96facbe1ad168862a4b91db9a89cc552b0d10fce8feac39a9a2fdd9dc05bf20e4368fbdf2ce6c3e2680f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kmnjg.exe

Filesize
170KB

MD5
53face3b36237ca409c4f8c277842fbe

SHA1
bca858bff9d11ffc6c5772c01aceee84e52a8eec

SHA256
8a4451db9a95c45c952c228c36d5976d5d9164077d6c9969f9206b6248963f81

SHA512
813ea54c1b643f5f4222bb97f82a73bcc07c9fa3ae459a748936dcff810caf19cb9771e09035e13efc1bae0ad611647dad0862d9132adf92bf01abfa7e33e31f

Download Submit
memory/4596-8-0x00000000006B0000-0x00000000006B2000-memory.dmp

Filesize
8KB

Download