7b3bfc65ac7152cce25cf081d9664f7d67912c5476c81cad7a380f761e3a03b5

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d792fce0604dfdc19ca20c9614279747dde1db7c7676dc05f4b3fb57371bd94f.exe
Size

231KB
MD5

a5cf2da4b8e2da3344041aca44c7758f
SHA1

1cf6b71f82329a596b8b5e260642d87e2b6cc589
SHA256

d792fce0604dfdc19ca20c9614279747dde1db7c7676dc05f4b3fb57371bd94f
SHA512

a43cfde76f345991d93a063f6293e7b652e370ef3cc666d09c3e7633e4d5181c6f5af1141f1517318be90c008891b61654c3293d12beca0c656caa158c4f7514
SSDEEP

6144:HNeZmIvj8f50yXpXKl7QO3Z6tZMWz7gnAo5y0:HNlIvjAb5XKxZ6jrg

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4612	ajwid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1736	4612	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d792fce0604dfdc19ca20c9614279747dde1db7c7676dc05f4b3fb57371bd94f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ajwid.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 4612	4812	d792fce0604dfdc19ca20c9614279747dde1db7c7676dc05f4b3fb57371bd94f.exe	84
PID 4812 wrote to memory of 4612	4812	d792fce0604dfdc19ca20c9614279747dde1db7c7676dc05f4b3fb57371bd94f.exe	84
PID 4812 wrote to memory of 4612	4812	d792fce0604dfdc19ca20c9614279747dde1db7c7676dc05f4b3fb57371bd94f.exe	84
PID 4612 wrote to memory of 2256	4612	ajwid.exe	85
PID 4612 wrote to memory of 2256	4612	ajwid.exe	85
PID 4612 wrote to memory of 2256	4612	ajwid.exe	85

C:\Users\Admin\AppData\Local\Temp\d792fce0604dfdc19ca20c9614279747dde1db7c7676dc05f4b3fb57371bd94f.exe
"C:\Users\Admin\AppData\Local\Temp\d792fce0604dfdc19ca20c9614279747dde1db7c7676dc05f4b3fb57371bd94f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Users\Admin\AppData\Local\Temp\ajwid.exe
  C:\Users\Admin\AppData\Local\Temp\ajwid.exe C:\Users\Admin\AppData\Local\Temp\zxycj
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Users\Admin\AppData\Local\Temp\ajwid.exe
    C:\Users\Admin\AppData\Local\Temp\ajwid.exe C:\Users\Admin\AppData\Local\Temp\zxycj
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 424
    3⤵
    - Program crash
    PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4612 -ip 4612
1⤵
PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ajwid.exe

Filesize
75KB

MD5
f5a8c28b6e248b5659561e38d470194e

SHA1
cbd1de347792a8e6af98f18f2b25874fa0a3ae63

SHA256
5e570f5d793082ed4917eb4a955ac0ffdb5c10dbef53d663b8ed84e2820db7f9

SHA512
7ad2e97b30a65c259c0217c440fc16daaf8fd542a71fc9c1023a45381774bd8796b8ef80a72bd4d212663f9f911f9491b4e76cf42277dac84437da93c1155ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\sribayra72

Filesize
170KB

MD5
dd1cc5bbb767ffb2e97e8b5ccd6404cc

SHA1
8664402b4ef13c3b0381facefeeffc3e3c9d50a4

SHA256
f7eefa6eaa6b2d35bb48c8284d3db1acba29f6fa63e280cc4646151d2a444e74

SHA512
123a9d3db586dca6297850a02e6a5383621d13494511419ad98e561f061e4b17ef4f6b6ef91c46182b54848d9b79e75c7850ceafd5a7576217cef24ce270d5c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxycj

Filesize
4KB

MD5
d9038f69b9e8e92e3ed9aa72a3671903

SHA1
ba871cdead478e5041a2b05820b0db2fb6dc0b17

SHA256
5d83228066971866553900c3386b6007d9f017692f5a5ceb2b618bcfed209080

SHA512
37fa67ce91a64e3cddfeab88acd88935cf01f16ce1b6c85ff01900e5fe514c703a551194bd28feddb2601ad9452ecd68ebbabdbfe133f770a1ed99a8845f3c48

Download Submit
memory/4612-8-0x0000000000580000-0x0000000000582000-memory.dmp

Filesize
8KB

Download