cacb6d35444a261d49962f30f25fa39950bef34049ab6452f58ce80c71d97ed6

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jkdgfjdksjjs.exe
Size

307KB
MD5

f8693bc45ac1f9a8acdd9bc061ad3c2e
SHA1

b988fd20ffd3b96c4e38783d280b3e35b48ccbfb
SHA256

5ba1c9a3ebf5b288588742abae0a909ac72b081e1d6273e8e7766f81d6ffa5fb
SHA512

f9361f370f023cc12e3b890a46045d03dbcc0502f5c6ae3a5bdcb44c09e39a020a7db1f76d891a18ab0d819dd9d639d9b3af2ecf377328e17bc94421541b53b3
SSDEEP

6144:TwWDio4om2Ju0v3RP9CrYnhAze5/cK8KtLils6CwsDpdP3m:r+o4om2u0Z9CrYnStK8as2m

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2472	uzumdnygfv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1228	2472	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jkdgfjdksjjs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uzumdnygfv.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 2472	4624	jkdgfjdksjjs.exe	83
PID 4624 wrote to memory of 2472	4624	jkdgfjdksjjs.exe	83
PID 4624 wrote to memory of 2472	4624	jkdgfjdksjjs.exe	83
PID 2472 wrote to memory of 3296	2472	uzumdnygfv.exe	85
PID 2472 wrote to memory of 3296	2472	uzumdnygfv.exe	85
PID 2472 wrote to memory of 3296	2472	uzumdnygfv.exe	85

C:\Users\Admin\AppData\Local\Temp\jkdgfjdksjjs.exe
"C:\Users\Admin\AppData\Local\Temp\jkdgfjdksjjs.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Users\Admin\AppData\Local\Temp\uzumdnygfv.exe
  C:\Users\Admin\AppData\Local\Temp\uzumdnygfv.exe C:\Users\Admin\AppData\Local\Temp\rdsgx
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\uzumdnygfv.exe
    C:\Users\Admin\AppData\Local\Temp\uzumdnygfv.exe C:\Users\Admin\AppData\Local\Temp\rdsgx
    3⤵
    PID:3296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 584
    3⤵
    - Program crash
    PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2472 -ip 2472
1⤵
PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lmhranw898oy4a3ouvy

Filesize
213KB

MD5
4f77e81f7946fa82c88e5d23e97b2211

SHA1
de3715ab36335cb466e29ddc7825c525f6291cef

SHA256
aad87297ea51c46c5a3eb83ad7581013b70b9c3fde0d7ec517399101102b7efa

SHA512
568519236741317f98a23521d95869088d88f5540dc79185ff6b5605dc8a65ad89339fe685e8e66897eaac0ac39ff5ccdc06399374539395fea3ca62345a37e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdsgx

Filesize
4KB

MD5
5bbfad15b5e497b4c3a63a4eff766607

SHA1
98f1ed9e56c52a422e16615aa2d6987ea7cbcffb

SHA256
5ac571ee6b02395f8170c6f9c0002217c212fdf5b4d1bc6752eebaba84c817a9

SHA512
cda28999d79ec17c1179c3e4773f479bb23ac2d262c1258cc876212feb134736fbbbeb1975936d29d8835fbbba746672037fc7e320a22ff2d08fb08024550d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzumdnygfv.exe

Filesize
116KB

MD5
259e6385e66fb2fb767d9890621d97d5

SHA1
4d1f445199912de9b44ceda0fba6a42eaa73c79a

SHA256
a39611e75ae56a71d3266f2ede64e92ba3fcccca6d626603363d3e8397ed4ed4

SHA512
fb384a1b6767349e4d01c75b173008b839308b4e8c5c23bc0ceb10384be6af2caee22455b1e317abaa93e83ccd98a9b503997c3a51604ca9002539947511b797

Download Submit
memory/2472-8-0x00000000005C0000-0x00000000005C2000-memory.dmp

Filesize
8KB

Download