12e576f977f74152cdf32cdfd8ea6904e3728f69a4c67bf30f449d6a0623ea41

Analysis

max time kernel
93s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

package delivery failed.exe
Size

333KB
MD5

696f70a52e873abbb6fe59673092d9d8
SHA1

e106d3dcebaa06ee19a246620d8e392d3977f19d
SHA256

a4b5549649c6a3bb9deccccd340fbbb60519fcb0e4091004628ea3b611dc0e3c
SHA512

ef7d57821de9e65b023fa53d38a2f4998ae11783834ecc41af1ea77b8c7e2307c22f48bbe2f7cca02b984f17292431dcf8796a0b4f501bfbe18458980906d6c2
SSDEEP

6144:BBlL/ClGiQcRn2GMYjZxHLweHq5MZ7qVZq+ElZqwA3XHqsV/n:HQlBQcd3MYjZxHUeHwMZuV8XlZqH3

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1128	package delivery failed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2504	1128	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	package delivery failed.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 1412	1128	package delivery failed.exe	82
PID 1128 wrote to memory of 1412	1128	package delivery failed.exe	82
PID 1128 wrote to memory of 1412	1128	package delivery failed.exe	82

C:\Users\Admin\AppData\Local\Temp\package delivery failed.exe
"C:\Users\Admin\AppData\Local\Temp\package delivery failed.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Local\Temp\package delivery failed.exe
  "C:\Users\Admin\AppData\Local\Temp\package delivery failed.exe"
  2⤵
  PID:1412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 1092
  2⤵
  - Program crash
  PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1128 -ip 1128
1⤵
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsfBA48.tmp\srrk.dll

Filesize
99KB

MD5
a3caa7e8895fb8eccc4cfc84c2f37283

SHA1
0c10231f8b45a1f6d9037fab396310a35fc572c5

SHA256
7b153187b30e47fda2f39d2621c04dded4e6776fabbebf5cc6a6a157a8324c02

SHA512
b96bdf0909a777ff559d31ac0600a5bbf90fcfa322232b4818ee275a2fda7638c4d06cb493f746a79e30367400ce2d252c46918e3dfbed851be81d1399b42c16

Download Submit
memory/1128-7-0x0000000074D87000-0x0000000074D89000-memory.dmp

Filesize
8KB

Download