075d3b5ed653c153e9fffcfcfa330cf99aae102c8f032a7a8ff730060e6e5224

Analysis

max time kernel
94s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe
Size

332KB
MD5

9572e695a50ea24517e2414010e10b46
SHA1

ae079d5e44e8b797dd8c29a9f9fd13d9466bc97a
SHA256

d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f
SHA512

ed98a7c1dcbc2fdc8ec0baf5b79586340b4e6552ab2026ddfa0efff3c526862baf81b873a6cf14e054219f629bf7609a42d88845949bfb54e49bd399543a57f8
SSDEEP

6144:TxD7+ihfubpqe6ZFBwZlt26euWhXlUCU0Ch5dlGBkV8Vd1vBIZLlGs7:4guA1ZFBilIpuKChNV8Vd1MLo+

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4916	znompeu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1116	4916	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	znompeu.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 4916	3264	d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe	82
PID 3264 wrote to memory of 4916	3264	d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe	82
PID 3264 wrote to memory of 4916	3264	d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe	82
PID 4916 wrote to memory of 3164	4916	znompeu.exe	83
PID 4916 wrote to memory of 3164	4916	znompeu.exe	83
PID 4916 wrote to memory of 3164	4916	znompeu.exe	83

C:\Users\Admin\AppData\Local\Temp\d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe
"C:\Users\Admin\AppData\Local\Temp\d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Users\Admin\AppData\Local\Temp\znompeu.exe
  C:\Users\Admin\AppData\Local\Temp\znompeu.exe C:\Users\Admin\AppData\Local\Temp\rgavkpxs
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Users\Admin\AppData\Local\Temp\znompeu.exe
    C:\Users\Admin\AppData\Local\Temp\znompeu.exe C:\Users\Admin\AppData\Local\Temp\rgavkpxs
    3⤵
    PID:3164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 488
    3⤵
    - Program crash
    PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4916 -ip 4916
1⤵
PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3695bcfdr9eu0

Filesize
210KB

MD5
21283579ae331b1495ad866408aab9b0

SHA1
b2a9cb3e3b30d17c849713e7193404dc9863959d

SHA256
f3fa6eb6757fca96cdae8958f8446c9e49527e593031bb32dfccc3ff976fa432

SHA512
f8518631b04d00b2c00b45912df2ab8ed44cc31ea2b6afdf075ee1e1b2ff3ef74ec35275a495321dd6746814726b9045e30e8735240d6b9667f7695aff1e73e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgavkpxs

Filesize
5KB

MD5
2af81e6c3061790ce149ffc656096753

SHA1
504ca42eb12a22cf770f9fba3a305ca5cbdd2ab2

SHA256
584c53db963412e640e1320a4d48fe1904afcc2c735d6ab8e4eb64c74eb0360c

SHA512
f7853f4f09e08426953131cd743b154091d413c45c8c09a1c247f9469937963c54f326bb12141decee14a7b05fc70e835733a339dd908549312cce7c1dd7a46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\znompeu.exe

Filesize
222KB

MD5
09bbca18da135482d44b23c70f9d8568

SHA1
9edfd59b24069657a2cf6eb35cfe5bed6e3d1fe7

SHA256
0013c266aef2611a034268e74cf293cf443b9246ef569c9acf6fadab59a45341

SHA512
a743f45e84515ed0965ae25ad1f0ac4a8821899e9292c1b0e6cdea93cb2b7f488a38c2ad8eff668c4170495516145476a232518a4f54ebc1aba557c04b43bf15

Download Submit
memory/4916-8-0x0000000000560000-0x0000000000562000-memory.dmp

Filesize
8KB

Download