05169db7f1ffd49e6ed73d6d55db576bcd1a89615588f1a2713af98e8f860456

Analysis

max time kernel
95s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05169db7f1ffd49e6ed73d6d55db576bcd1a89615588f1a2713af98e8f860456.exe
Size

307KB
MD5

edf52574766332cf4090475c1c76a913
SHA1

26c73c7d963cc95d1b25fc37f0a1c898887971b3
SHA256

05169db7f1ffd49e6ed73d6d55db576bcd1a89615588f1a2713af98e8f860456
SHA512

34235fb3ee5f5ad249dcdb8efde878a758c0fc7581ca93723028a432f33dda87bcbc27d064d37ec153ca91ce1ec8a8457fad9e224020f167fccbdd79a493a3ae
SSDEEP

6144:rGiGYU1PwJbC2i499oTnPAcX9fEdMdKS5ZgLhX7WOQ5yTt:6YmPwJbC74cPt9sdNIqLhXIox

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5004	mlkdtrqkv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1968	5004	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05169db7f1ffd49e6ed73d6d55db576bcd1a89615588f1a2713af98e8f860456.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mlkdtrqkv.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 5004	4624	05169db7f1ffd49e6ed73d6d55db576bcd1a89615588f1a2713af98e8f860456.exe	82
PID 4624 wrote to memory of 5004	4624	05169db7f1ffd49e6ed73d6d55db576bcd1a89615588f1a2713af98e8f860456.exe	82
PID 4624 wrote to memory of 5004	4624	05169db7f1ffd49e6ed73d6d55db576bcd1a89615588f1a2713af98e8f860456.exe	82
PID 5004 wrote to memory of 1048	5004	mlkdtrqkv.exe	83
PID 5004 wrote to memory of 1048	5004	mlkdtrqkv.exe	83
PID 5004 wrote to memory of 1048	5004	mlkdtrqkv.exe	83
PID 5004 wrote to memory of 1048	5004	mlkdtrqkv.exe	83

C:\Users\Admin\AppData\Local\Temp\05169db7f1ffd49e6ed73d6d55db576bcd1a89615588f1a2713af98e8f860456.exe
"C:\Users\Admin\AppData\Local\Temp\05169db7f1ffd49e6ed73d6d55db576bcd1a89615588f1a2713af98e8f860456.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Users\Admin\AppData\Local\Temp\mlkdtrqkv.exe
  C:\Users\Admin\AppData\Local\Temp\mlkdtrqkv.exe C:\Users\Admin\AppData\Local\Temp\mfrjwepj
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Users\Admin\AppData\Local\Temp\mlkdtrqkv.exe
    C:\Users\Admin\AppData\Local\Temp\mlkdtrqkv.exe C:\Users\Admin\AppData\Local\Temp\mfrjwepj
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 444
    3⤵
    - Program crash
    PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5004 -ip 5004
1⤵
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mfrjwepj

Filesize
5KB

MD5
7052401489ba7912ed76f2e0f43777d9

SHA1
4322fa68b4a3386c59fc208e2778f48ee83f36c6

SHA256
72091bdfa98d545c75711f12bf11f0698e9a9e1f3c2f96df0610f406a5a92b11

SHA512
d74755e3cf0701b409aef97398c2375b2b6e46ef4a00c6e9e3862fbf6329003d9ab77fd2d3dd2815a247247888d79b32dee8d65f7e6f30009c0aca8b02b58c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mlkdtrqkv.exe

Filesize
117KB

MD5
d189de48d249626410e9f76ca430ebd8

SHA1
6a7ab73710c2d2f3a927ef58b16477c634b3fe46

SHA256
b12d7fb5370439771f33b99428d12979d59c1d2aff56eb572294e7fd2a7c05d5

SHA512
6ca5da001917ac5adceb933a1af72bd08ab0aa63fabf7de0d1d35528e40bb4aa45f65cf55bd4f867e040228b6a18cdda76741bf327687ad0245e3961c40d1a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\zot5ecntxjlmt60ykv6

Filesize
213KB

MD5
2c8c190e5c29f45f28416f10ef07acda

SHA1
3d1878b3ffe81f240816b312c9a4960705628741

SHA256
77a83d77ef4cea93d3375dceca0e734d478ab7bd24411595c1dde9212d7d0a94

SHA512
3ca64785f6397767831f0b9a921807c633b2850164cd3a51a931092615f77f7455a589bf8181d0cbe5ec38bad508b686428889b06341afa7a3b88a0e44221a91

Download Submit
memory/5004-7-0x00000000010D0000-0x00000000010D2000-memory.dmp

Filesize
8KB

Download