42bdad0ed729bc853aaaf324608b02cc3e8b2a01bd9cf96be51cd5e190c6bbda

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

scan_21000075656119_pdf.exe
Size

434KB
MD5

73471ec476c4a9840e7a5a016cbccf15
SHA1

e756222389add5c0bf2b76879071b64a47d2b811
SHA256

4c5b9ebac3175e087db4da64b7a7947ab4d49a5177c0549419a18ab9f58e5900
SHA512

5c0fbac272c5208712b836b9bfb2f4b54e73032f32119ff9ba81f8ade7839500157e5a1ae955a968325e7ded4eeffb57fb74f30e92ed1958315d035138590564
SSDEEP

12288:fEAmDWlGbc9ZqCsVVg87u4TlG6lic+spEz7Ujy:ffltP0Vg87lN/+1zMy

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4992	scan_21000075656119_pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2432	4992	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scan_21000075656119_pdf.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 4472	4992	scan_21000075656119_pdf.exe	83
PID 4992 wrote to memory of 4472	4992	scan_21000075656119_pdf.exe	83
PID 4992 wrote to memory of 4472	4992	scan_21000075656119_pdf.exe	83

C:\Users\Admin\AppData\Local\Temp\scan_21000075656119_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\scan_21000075656119_pdf.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Local\Temp\scan_21000075656119_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\scan_21000075656119_pdf.exe"
  2⤵
  PID:4472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 992
  2⤵
  - Program crash
  PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4992 -ip 4992
1⤵
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsvC6BC.tmp\wxmw.dll

Filesize
138KB

MD5
471f793e5ad2693cbe1c535a5eeaefd3

SHA1
13eb77948aeb666746294efe53e5f43164a7493f

SHA256
b259ba371a469f843799bd7bdf64bc55182b941033600d1bdf7d7c3fce6e7239

SHA512
ee209c33cc7837a7bfd1714b0f55d5fc5e4a75f696398ea5994d9b3e68f28f2fc0f646155feacd43704208aab78bb228e309e5e9646930241f11a199157ffd90

Download Submit
memory/4992-7-0x0000000010021000-0x0000000010023000-memory.dmp

Filesize
8KB

Download