b9f1b6b390e993702fc4638b3aa7bc0ff497cb7b1d7d48862fdf7c17ea2564e6

Analysis

max time kernel
93s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2575df47e8e09da1f99edde3c9533468c1c76e271e354323bb410aab1bd5f02f.exe
Size

244KB
MD5

ab56d27ab05f380a166ee2b9409a759b
SHA1

8fbda847f0969523042a9e9a0e1b2ce36e81d749
SHA256

2575df47e8e09da1f99edde3c9533468c1c76e271e354323bb410aab1bd5f02f
SHA512

6d824d2b1fc82298fe4b6d5bf735f3c88c272ed42134396a398481157812e1cd706ad915da4a7e64c7941e1898bbb0c8cf6c92602dd976618c270602e4a4a334
SSDEEP

6144:rGiK7P9Xjv4UPOth6tT+fzQrEdGUzlAsLRvDkE73Fb5iptZx9s:81XjO76Z+srE0URAkv7Gpt9s

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
624	qmhzftyxd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2212	624	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2575df47e8e09da1f99edde3c9533468c1c76e271e354323bb410aab1bd5f02f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qmhzftyxd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 624	4048	2575df47e8e09da1f99edde3c9533468c1c76e271e354323bb410aab1bd5f02f.exe	83
PID 4048 wrote to memory of 624	4048	2575df47e8e09da1f99edde3c9533468c1c76e271e354323bb410aab1bd5f02f.exe	83
PID 4048 wrote to memory of 624	4048	2575df47e8e09da1f99edde3c9533468c1c76e271e354323bb410aab1bd5f02f.exe	83
PID 624 wrote to memory of 4700	624	qmhzftyxd.exe	84
PID 624 wrote to memory of 4700	624	qmhzftyxd.exe	84
PID 624 wrote to memory of 4700	624	qmhzftyxd.exe	84

C:\Users\Admin\AppData\Local\Temp\2575df47e8e09da1f99edde3c9533468c1c76e271e354323bb410aab1bd5f02f.exe
"C:\Users\Admin\AppData\Local\Temp\2575df47e8e09da1f99edde3c9533468c1c76e271e354323bb410aab1bd5f02f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Users\Admin\AppData\Local\Temp\qmhzftyxd.exe
  C:\Users\Admin\AppData\Local\Temp\qmhzftyxd.exe C:\Users\Admin\AppData\Local\Temp\glbqxojq
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Users\Admin\AppData\Local\Temp\qmhzftyxd.exe
    C:\Users\Admin\AppData\Local\Temp\qmhzftyxd.exe C:\Users\Admin\AppData\Local\Temp\glbqxojq
    3⤵
    PID:4700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 556
    3⤵
    - Program crash
    PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 624 -ip 624
1⤵
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\glbqxojq

Filesize
5KB

MD5
a05365ae52c2863aa47547876aa4ae23

SHA1
f071ee6d06061cdfd28b82ea612bf2b1bd8ecd5d

SHA256
b142c2076a679b9791de2c75d60d91bf512d4d9f9c8b0f899d987bcef5e3dafa

SHA512
d83ea7645c2d0b83a87d22d4b97347fd6712c09f6e7dcd1d5d51f02180a853b0344a33ae7555c9ebdeaf9d7c33537359cfe7fd914e4b66eaa5e3b8ff15febca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qmhzftyxd.exe

Filesize
4KB

MD5
2281c1ed86f831c1fe3e0e9605f27b67

SHA1
492dce2fdc0859857277e4a4ac3b9bd6eb3cf966

SHA256
f7396efdcbc39e94a112ca8086d845b52ecbd9195516c9c9eff55491eee9f664

SHA512
be68d2f3eaa905172ebfc325320d86143ea84f31791b348a9e3b7004d3b2dc4c499f7d5e0f19419ae2d7be0d9277ea69876784214480dca120240abbe60ddc36

Download Submit
C:\Users\Admin\AppData\Local\Temp\y2c2ak3s9hlubx

Filesize
213KB

MD5
818c4223b9c6ff05e4a17af7ada350e7

SHA1
6cc9c97f1cdf5d7c256aa282bcc5d0b86062f4f6

SHA256
33e828e872dce5bafb41e635644ce13b17cba1ed2502412b6ca0a27b9367c44b

SHA512
a1e967a070087c423238022ed745b73b09499c46da3d0c6bf4e404c67adbd8e68550a641d08eaff284d1300f86bb49bc7a9c3a6aa6cf68c0ddea2fddeb37584a

Download Submit
memory/624-7-0x0000000000470000-0x0000000000472000-memory.dmp

Filesize
8KB

Download