d7e3306aa2727963c07a089ddf7a171f89d379f8fcfba1cd69baba4268b3e197

Analysis

max time kernel
94s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24d79b2f4a2aba518237343b7b94b817f51de0afc1e40236a4c267657b113849.exe
Size

579KB
MD5

1f9db0137245508d4ad475170c4811f5
SHA1

7f8f0bbd941bc101a114220e4f296bd58a96a494
SHA256

24d79b2f4a2aba518237343b7b94b817f51de0afc1e40236a4c267657b113849
SHA512

30a04716757e1ba2ef707fcbeb7997922223cb6f06b3820aa1df65ef572360d6122652737eece8baa92d2b6a21e41c536be02fb6f8f4a0f529c3775018ba5956
SSDEEP

12288:mXe9PPlowWX0t6mOQwg1Qd15CcYk0We1k/IPlFQ7HqOq4RfjQtjgZSFyG11:7hloDX0XOf4uwtFjKRfjcgZSFB11

Score

5^/10

discovery upx

Malware Config

Signatures

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1364-10-0x0000000000400000-0x0000000000552000-memory.dmp	autoit_exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1364-0-0x0000000000400000-0x0000000000552000-memory.dmp	upx
behavioral2/memory/1364-10-0x0000000000400000-0x0000000000552000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3888	1364	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24d79b2f4a2aba518237343b7b94b817f51de0afc1e40236a4c267657b113849.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 4840	1364	24d79b2f4a2aba518237343b7b94b817f51de0afc1e40236a4c267657b113849.exe	83
PID 1364 wrote to memory of 4840	1364	24d79b2f4a2aba518237343b7b94b817f51de0afc1e40236a4c267657b113849.exe	83
PID 1364 wrote to memory of 4840	1364	24d79b2f4a2aba518237343b7b94b817f51de0afc1e40236a4c267657b113849.exe	83

C:\Users\Admin\AppData\Local\Temp\24d79b2f4a2aba518237343b7b94b817f51de0afc1e40236a4c267657b113849.exe
"C:\Users\Admin\AppData\Local\Temp\24d79b2f4a2aba518237343b7b94b817f51de0afc1e40236a4c267657b113849.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\24d79b2f4a2aba518237343b7b94b817f51de0afc1e40236a4c267657b113849.exe
  "C:\Users\Admin\AppData\Local\Temp\24d79b2f4a2aba518237343b7b94b817f51de0afc1e40236a4c267657b113849.exe"
  2⤵
  PID:4840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 816
  2⤵
  - Program crash
  PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1364 -ip 1364
1⤵
PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autAFF7.tmp

Filesize
218KB

MD5
cc208f1ec14cb448f05b47dfc0209bfb

SHA1
996d4a93efef352fc1008542a942cdb9d73a6843

SHA256
d7304f6b8384f847a31512bbec5e5ce0a40c1499c9341ee7b2ba39d628f2684d

SHA512
41e9d257dee6148f9252328436e5eb1a8930b1e64ff7c397dac4f46deb0c7dfcfecb2cb9da2da61e9288ced9ee30deafa680ec01f7a164b48b705cec293cc7ff

Download Submit
memory/1364-0-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1364-9-0x0000000003420000-0x0000000003422000-memory.dmp

Filesize
8KB

Download
memory/1364-8-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1364-10-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download