Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 02:05
Static task
static1
Behavioral task
behavioral1
Sample
24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/chbtjlxnc.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/chbtjlxnc.dll
Resource
win10v2004-20241007-en
General
-
Target
24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe
-
Size
243KB
-
MD5
29da8eb9acf3ebdc502817638363b27d
-
SHA1
1ddb4024670a1e8efd12617ea811fb307072af20
-
SHA256
24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf
-
SHA512
58f8f6cb0eaf944dbacd2a804f29870abe34f70d10ccc3335598e982ccb03edb96311a9d2a9c798f8357a43f47b24921cfa3e0e584056d0d27ca2a75fde83d7c
-
SSDEEP
6144:wBlL/cfBxf0vg+5XB2rZV7CkBFMjEThPBr46Lf8ar:CefBf0IrZ1Cjc26L0ar
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 5004 24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5016 5004 WerFault.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5004 wrote to memory of 4032 5004 24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe 82 PID 5004 wrote to memory of 4032 5004 24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe 82 PID 5004 wrote to memory of 4032 5004 24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe"C:\Users\Admin\AppData\Local\Temp\24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe"C:\Users\Admin\AppData\Local\Temp\24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe"2⤵PID:4032
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 9762⤵
- Program crash
PID:5016
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 5004 -ip 50041⤵PID:3952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD504e7cb86dc41703a5cf85fc5876ca52c
SHA1c1b4b144bcfbb9cb60f0feb98c74aeb1ca83abea
SHA256f151cb8d01bd600340425aed959eff4e663db50941ccba81bee3d94f5ae4e486
SHA5127c38ab8869747baa87473804cca219969534b71cfdd91b01e2a63b84fc7964fbdbbff7f56f336c2d5bac4031e8ede1e39e1d723854f3f7713b9d1ec37f7d3646