768f7b22ab2a7c43914ce865f49ac9300bf98a0e40b8c2af8fd5144241435570

Analysis

max time kernel
100s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

377f7b2c2c6adc9cbb464dbce216962a7c7f55ee2ca95a5e89020f4115abe744.exe
Size

340KB
MD5

19becff2f656ca71ab841ef21326e577
SHA1

d8558e5b66f691967699071138b3042ad5560895
SHA256

377f7b2c2c6adc9cbb464dbce216962a7c7f55ee2ca95a5e89020f4115abe744
SHA512

e959036d29c2e11945c92517d7505cb9d8a0d774cfffc9ea91797a74378912a0b75edb6afa278ef4ab6a43ea5f1c11b0f4ee708faecde64fa60928bd2ad20ba8
SSDEEP

6144:rGiNO66MLnlsoebXltYhzAlH9bun+JU6ks2VTD7+ylh1fC0oU:hO6D96tYGliAkdTDK41fjP

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3984	rhirzqxzel.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2588	3984	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	377f7b2c2c6adc9cbb464dbce216962a7c7f55ee2ca95a5e89020f4115abe744.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhirzqxzel.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 3984	1124	377f7b2c2c6adc9cbb464dbce216962a7c7f55ee2ca95a5e89020f4115abe744.exe	83
PID 1124 wrote to memory of 3984	1124	377f7b2c2c6adc9cbb464dbce216962a7c7f55ee2ca95a5e89020f4115abe744.exe	83
PID 1124 wrote to memory of 3984	1124	377f7b2c2c6adc9cbb464dbce216962a7c7f55ee2ca95a5e89020f4115abe744.exe	83
PID 3984 wrote to memory of 4756	3984	rhirzqxzel.exe	84
PID 3984 wrote to memory of 4756	3984	rhirzqxzel.exe	84
PID 3984 wrote to memory of 4756	3984	rhirzqxzel.exe	84
PID 3984 wrote to memory of 4756	3984	rhirzqxzel.exe	84

C:\Users\Admin\AppData\Local\Temp\377f7b2c2c6adc9cbb464dbce216962a7c7f55ee2ca95a5e89020f4115abe744.exe
"C:\Users\Admin\AppData\Local\Temp\377f7b2c2c6adc9cbb464dbce216962a7c7f55ee2ca95a5e89020f4115abe744.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Users\Admin\AppData\Local\Temp\rhirzqxzel.exe
  C:\Users\Admin\AppData\Local\Temp\rhirzqxzel.exe C:\Users\Admin\AppData\Local\Temp\qenbldawg
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Users\Admin\AppData\Local\Temp\rhirzqxzel.exe
    C:\Users\Admin\AppData\Local\Temp\rhirzqxzel.exe C:\Users\Admin\AppData\Local\Temp\qenbldawg
    3⤵
    PID:4756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 596
    3⤵
    - Program crash
    PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 3984 -ip 3984
1⤵
PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\po6bh2ndceyluwoq3

Filesize
213KB

MD5
d3d11ce889f31bb798629123cb3f2e9e

SHA1
92ae026a3a9bb81fed4558f2b03938fdc61e9e66

SHA256
d017475ae0fe8888dce5384e5cb4668a26c5fb662a0e57595f91bbac8f50d5a4

SHA512
caed9575f7325159edb4a506f2fab0d0f5e21f1c2ab311a1070454853c2227a52a85a685db47b6a392771d3467967c514f7bdb064291db5cb523555c3b0777f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qenbldawg

Filesize
5KB

MD5
ad8296469a742dd29b322430856c5896

SHA1
7e35ad46bf09e8410d5c5ed9636952f4a0856a16

SHA256
6783af2d4c44db94721c12483cabc1cfe6ba184ce1186f04f4b44395d78ca57b

SHA512
65bc71fe0b7f3943b4319d21fa91751fe07afec5b7761a8375d8f43127a5d5f4a575d38618d920a199f359e2ca97b1656b0755d8f68dd3aad97f31b31812b353

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhirzqxzel.exe

Filesize
179KB

MD5
8eba063264c95a7a03ff814a0a52e290

SHA1
b4f369189f03b9226f5c7deec519f3d32add08a2

SHA256
77b2a7dfaf2070513e4ba93278e59bc90fb2c357ae6ecb04a4f5a220929d0753

SHA512
7dfb74454d19157f6659bdafedd179145140a7dd6f8bb74f0b8a4d00530306c9fd8ab72219e1731f0a5291ebeaa25612cb11b5a6b490697b39ad5c9dd1eea2f6

Download Submit
memory/3984-8-0x0000000000B20000-0x0000000000B22000-memory.dmp

Filesize
8KB

Download