2431bcfeeed375246aa9b2e9a42868f57ccb0517bea50b9c9ddcc4ff8e3c75a1

Analysis

max time kernel
95s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO1922.exe
Size

436KB
MD5

4206075224453d62fdff5aa5c32e392b
SHA1

5d862e2e94f2d83d1594d21fd4f73d96a192a2f0
SHA256

c804865a31c4ece9c6dbf12a13593c3402f04618477746eff72709c5dc5d3ebf
SHA512

7c048a79159f82fe3295a92f471dd8c8f01f8ea099bf1c8f53d0335f150579fb102baeb0df9c4c96a15af57f40cc11406a47d14de3975e3a1be605c572889062
SSDEEP

6144:fwtwbmreTCxk0rd6Nz5iKk2CGE+qMew4cfhF+jhEKdwL4ZfRzvULe:gYmi2dvN2CGE+AMFkh56L4ZSe

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2948	PO1922.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1596	2948	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO1922.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 804	2948	PO1922.exe	83
PID 2948 wrote to memory of 804	2948	PO1922.exe	83
PID 2948 wrote to memory of 804	2948	PO1922.exe	83

C:\Users\Admin\AppData\Local\Temp\PO1922.exe
"C:\Users\Admin\AppData\Local\Temp\PO1922.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Local\Temp\PO1922.exe
  "C:\Users\Admin\AppData\Local\Temp\PO1922.exe"
  2⤵
  PID:804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 952
  2⤵
  - Program crash
  PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2948 -ip 2948
1⤵
PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nssB26A.tmp\hahe.dll

Filesize
19KB

MD5
c2011862c7102ab56ad2b1d8bd68d39b

SHA1
92bd5b2ed09c6c291732a5de851863410e97dd7d

SHA256
441abd6663c6823e8ac2c1facfa6bd147e28504c43dee969376ec6cfceb898d3

SHA512
c9971837b6b420ae4d72f265b118cce6667116d3d00c5731856708ae8b7c93070fafd34a62bcef0890014cefd115a5ef6d92f380735fac415b1a129c256187fd

Download Submit
memory/2948-8-0x0000000002560000-0x0000000002562000-memory.dmp

Filesize
8KB

Download