1ffc202c964a238fb1ea99a22a264d49953dd6c9511932f5377cf04116ffd773

Analysis

max time kernel
95s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487.exe
Size

304KB
MD5

d5949e2ad723b184d5622ce746b0177b
SHA1

10f1ec8f4a1ce70546a4ca25965b606ea2bc20ae
SHA256

c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487
SHA512

9a98a61a1c4f9a072ca9a809c6d582afd02826a449cfbdf58422b0e5dd7886acad515eae1a575e1097e8445eddc9d648592b62ea3560c51f008a235a1b0fa6c2
SSDEEP

6144:RNeZ2KnbGYu/gc3BOsNExg7ncENT33uRh9Y/qAMJJdLZ+cb4YO:RNpKnyXgcxOsNEEcENT33uNIqbJB4cbW

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2716	oryvzibei.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3712	2716	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oryvzibei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 2716	4780	c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487.exe	82
PID 4780 wrote to memory of 2716	4780	c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487.exe	82
PID 4780 wrote to memory of 2716	4780	c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487.exe	82
PID 2716 wrote to memory of 1164	2716	oryvzibei.exe	83
PID 2716 wrote to memory of 1164	2716	oryvzibei.exe	83
PID 2716 wrote to memory of 1164	2716	oryvzibei.exe	83

C:\Users\Admin\AppData\Local\Temp\c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487.exe
"C:\Users\Admin\AppData\Local\Temp\c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Users\Admin\AppData\Local\Temp\oryvzibei.exe
  C:\Users\Admin\AppData\Local\Temp\oryvzibei.exe C:\Users\Admin\AppData\Local\Temp\odifjvp
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\oryvzibei.exe
    C:\Users\Admin\AppData\Local\Temp\oryvzibei.exe C:\Users\Admin\AppData\Local\Temp\odifjvp
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 540
    3⤵
    - Program crash
    PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2716 -ip 2716
1⤵
PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\odifjvp

Filesize
4KB

MD5
bb1182030e05f8a3c49279a7886ef96c

SHA1
aeb622a2f719c27ebc716bee887b8b5ccaeed89e

SHA256
d6a52a2e8f8aabb812f26cbb77e8390a8fa4a1304dbfffedd1c641d3c086a53f

SHA512
a1b7c11d0b7eb7c5a84406a77ba07833abc925ae2e444e92c9a42558c6b3c80cddaf649dcba4329a19c9a1584b929de0706f7a57744f25c03885d0306e06d947

Download Submit
C:\Users\Admin\AppData\Local\Temp\oryvzibei.exe

Filesize
4KB

MD5
0361a9f359f0e790728f7233f15a24ba

SHA1
316941b24d00b64baf38a76e3a44596a6bdbef37

SHA256
60b3f54da2275f4e7062a18ad72b413db3826d00170a859ec533fb1328758594

SHA512
40bb782aff60a54a88a0d0424a6636e6d738f500b491713547c8dc43e69360ab002cb644325537e3eebacc78be654f211c93467f6fcedb603572e2ceb20ec128

Download Submit
C:\Users\Admin\AppData\Local\Temp\q8h6hoagwqe

Filesize
210KB

MD5
c73396de899e9b6993217511b2b5e7cb

SHA1
8d7d0831a5cbfe70f91fc1d987cd2de806b8f72c

SHA256
fb95f337130d5653a230b63f2d7d3ca3148cc1ca74274f90e031904bb1cc2a19

SHA512
2a014ed6e834f812d3f0228fbc879871ffa51003ffb8adc1c8639ba8e2ee42a5551cee567379307106bf183b5ed5a5b6a15352327579b5ee15106da4fe4bdb1e

Download Submit
memory/2716-8-0x0000000002150000-0x0000000002152000-memory.dmp

Filesize
8KB

Download