d9fe9d908100ab182772f847c7b857f793d38ef5d1e715b9013f8b31414eceba

Analysis

max time kernel
137s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Spare part list.exe
Size

426KB
MD5

cac35edc87d1cdaf5ecdd34900045ccb
SHA1

1323d657bd67d03faefd521b785e0c04b48bee16
SHA256

efc607830d8ab120ce4a9fb8062b9986980430b0cc82115d9cb8aa6f4dac29ad
SHA512

8b7db67d5738da10209e59ae50ce79f39d69ad3438c4dc35110534f073a011048e2e3c21e531e1691041680bd3809297b648075950c1c6348e26dc52e85a6f8f
SSDEEP

6144:YNeZCHXOWlDX1LvW0PJ1qNmN/Nio+BmTku6tMJNiZt7MZ2kY0a0wi++sAWv/kfmE:YN/XO8M0Xq0N/8XBpMniZxi2kY0yFwvN

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3496	rkkzui.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4840	3496	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Spare part list.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rkkzui.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 3496	3212	Spare part list.exe	85
PID 3212 wrote to memory of 3496	3212	Spare part list.exe	85
PID 3212 wrote to memory of 3496	3212	Spare part list.exe	85
PID 3496 wrote to memory of 3944	3496	rkkzui.exe	86
PID 3496 wrote to memory of 3944	3496	rkkzui.exe	86
PID 3496 wrote to memory of 3944	3496	rkkzui.exe	86
PID 3496 wrote to memory of 3944	3496	rkkzui.exe	86

C:\Users\Admin\AppData\Local\Temp\Spare part list.exe
"C:\Users\Admin\AppData\Local\Temp\Spare part list.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Users\Admin\AppData\Local\Temp\rkkzui.exe
  C:\Users\Admin\AppData\Local\Temp\rkkzui.exe C:\Users\Admin\AppData\Local\Temp\lhmmcyvatq
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Users\Admin\AppData\Local\Temp\rkkzui.exe
    C:\Users\Admin\AppData\Local\Temp\rkkzui.exe C:\Users\Admin\AppData\Local\Temp\lhmmcyvatq
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 552
    3⤵
    - Program crash
    PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3496 -ip 3496
1⤵
PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0gy5z1a3hsrcrvua7f32

Filesize
210KB

MD5
c513bebbe6941d47f6df04fbf35286d7

SHA1
e36c8a60ce8c284ec91c8bb99c3aa588f5e496ec

SHA256
ecce894765837d8c0cfa132f7107e36a0163a94a6b7de91ed7b9068d49c0c7bb

SHA512
e682796dd580b13d04c6c16aa8f7a32fd5d807d7eabe2a113ada03073eaedc10319b9d5a45be48720bd1bea9f20f0d96f56eb2458b0bfb5ca6f104009e6ed993

Download Submit
C:\Users\Admin\AppData\Local\Temp\lhmmcyvatq

Filesize
4KB

MD5
044ab2eec1a75bd7f82dc641a5d3af23

SHA1
1b05898043d0342536e115e93483b232ff0b0d60

SHA256
88e2f31f156897b8bd79e9f13294f355e0bb9a8f431f5da43f1f73e5644c9ee0

SHA512
e6b93c2037785a768e5998f9927829f2a2b40690fd561d1a50169aac29107d9247b5f93b6d91507b3235e2758545a47a1408e6abf170fe02d7d4c90024db9f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkkzui.exe

Filesize
4KB

MD5
5504a85ec9912968d5730c57ee61c10b

SHA1
93a21109de21536b28dc51183c26c65d174fbb4a

SHA256
9ac40b495a05fd8d5b2f4dd668d8e0aa5932dd7171aa070e1ad6cb0a96cd6ee4

SHA512
e9dffb4a48237d4621f8d379f491dbee1879d4f6bd834d892d4cc22f30a92b2103e5bb231b0293f8b5f8848f2a050a2f295cfc8ad5c9392418519a00a1576e14

Download Submit
memory/3496-8-0x0000000000CE0000-0x0000000000CE2000-memory.dmp

Filesize
8KB

Download