f30ca63b742b25d6edfb3a8f2828b08a0cfbb5d0bec0e956471c26ca9b7647a6

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cabb80e60885c678211fa4a1653e92f98d9383ee9c31b2576ec507153585d477.exe
Size

304KB
MD5

c9070047ab2475ee0a972aa35e607d6b
SHA1

c6147247f9f048a4260293c3ffd38504f47a3e7d
SHA256

cabb80e60885c678211fa4a1653e92f98d9383ee9c31b2576ec507153585d477
SHA512

fbb9c1f00c4826ee08e04b864a2b84fcef0c1935a258dd229173170cca52d0d364c48cb9de458b89ea1f41811fe42dea3549ce1aa34235648902b7adc1e239cc
SSDEEP

6144:1xDNXvMZdAkGun7Q4cu7uTpBz0hs9V4SGrPyQaL1S:xXEX9849uTMhA4SC7aLg

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2344	xbgsaxgvtq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3992	2344	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cabb80e60885c678211fa4a1653e92f98d9383ee9c31b2576ec507153585d477.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbgsaxgvtq.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2344	2884	cabb80e60885c678211fa4a1653e92f98d9383ee9c31b2576ec507153585d477.exe	83
PID 2884 wrote to memory of 2344	2884	cabb80e60885c678211fa4a1653e92f98d9383ee9c31b2576ec507153585d477.exe	83
PID 2884 wrote to memory of 2344	2884	cabb80e60885c678211fa4a1653e92f98d9383ee9c31b2576ec507153585d477.exe	83
PID 2344 wrote to memory of 4540	2344	xbgsaxgvtq.exe	85
PID 2344 wrote to memory of 4540	2344	xbgsaxgvtq.exe	85
PID 2344 wrote to memory of 4540	2344	xbgsaxgvtq.exe	85

C:\Users\Admin\AppData\Local\Temp\cabb80e60885c678211fa4a1653e92f98d9383ee9c31b2576ec507153585d477.exe
"C:\Users\Admin\AppData\Local\Temp\cabb80e60885c678211fa4a1653e92f98d9383ee9c31b2576ec507153585d477.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\xbgsaxgvtq.exe
  C:\Users\Admin\AppData\Local\Temp\xbgsaxgvtq.exe C:\Users\Admin\AppData\Local\Temp\brsrmerpn
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\xbgsaxgvtq.exe
    C:\Users\Admin\AppData\Local\Temp\xbgsaxgvtq.exe C:\Users\Admin\AppData\Local\Temp\brsrmerpn
    3⤵
    PID:4540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 696
    3⤵
    - Program crash
    PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2344 -ip 2344
1⤵
PID:4000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\brsrmerpn

Filesize
4KB

MD5
68811df78ba2b483fa9017f7608d66a7

SHA1
aca606388306f830e04776ced65c92076a44c8b8

SHA256
c1e5b6b3632bab050f44e99373408954c82aad38787a4b79b4d1f1fb51d8af09

SHA512
689b469ee753ae4efba2d1fd3b782212d96571d453c402703fe34097e0fc65e85f7baa1842de56eb27e2fa0ce8f458815d5ab01da9c618d87022703e7f086b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tssjhtz0mqxw2l

Filesize
214KB

MD5
35067408289533597691ee34f51606e3

SHA1
2ba18281e842683a5fb37acaa5e737bea02920fa

SHA256
2d6813cc79094c70a56d820fe897d1b8deab36cb5caafd78fac59b6335e2c663

SHA512
97828ec11fee617b415f61a4333ba9e663260d4a86ddab4c8af41b3c4739086cefa08d3c9548d5e8239e0df26a22dc6e457f7d516b4f7c042629cdae02a2ac9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xbgsaxgvtq.exe

Filesize
6KB

MD5
2ba1a350b5a4deba2dd52d84c03534b4

SHA1
ba6baa55c68ee4b7979ee3fccc2c54878c705a2f

SHA256
95ecc7f27ad29fed67b107020ab9291ec6115bd6a375306331de7d98deda578b

SHA512
5575e7e591f3f3e6dc461f8ef9203decc1c1295f9588b70ae9c2e0c85bf7116b60ea15718cf3875969b261aa2f8e874bc361bb5130b5c7e3bc2aeee2797dca0b

Download Submit
memory/2344-8-0x0000000000B70000-0x0000000000B72000-memory.dmp

Filesize
8KB

Download