24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe
Size

243KB
MD5

29da8eb9acf3ebdc502817638363b27d
SHA1

1ddb4024670a1e8efd12617ea811fb307072af20
SHA256

24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf
SHA512

58f8f6cb0eaf944dbacd2a804f29870abe34f70d10ccc3335598e982ccb03edb96311a9d2a9c798f8357a43f47b24921cfa3e0e584056d0d27ca2a75fde83d7c
SSDEEP

6144:wBlL/cfBxf0vg+5XB2rZV7CkBFMjEThPBr46Lf8ar:CefBf0IrZ1Cjc26L0ar

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe

pid process

5004 24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5016 5004 WerFault.exe 24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe

pid	process
5004	24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe

pid	pid_target	process	target process
5016	5004	WerFault.exe	24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe

description	pid	process	target process
PID 5004 wrote to memory of 4032	5004	24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe	24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe
PID 5004 wrote to memory of 4032	5004	24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe	24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe
PID 5004 wrote to memory of 4032	5004	24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe	24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe

C:\Users\Admin\AppData\Local\Temp\24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe
"C:\Users\Admin\AppData\Local\Temp\24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Users\Admin\AppData\Local\Temp\24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe
  "C:\Users\Admin\AppData\Local\Temp\24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe"
  2⤵
  PID:4032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 976
  2⤵
  - Program crash
  PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 5004 -ip 5004
1⤵
PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsx9A0E.tmp\chbtjlxnc.dll

Filesize
32KB

MD5
04e7cb86dc41703a5cf85fc5876ca52c

SHA1
c1b4b144bcfbb9cb60f0feb98c74aeb1ca83abea

SHA256
f151cb8d01bd600340425aed959eff4e663db50941ccba81bee3d94f5ae4e486

SHA512
7c38ab8869747baa87473804cca219969534b71cfdd91b01e2a63b84fc7964fbdbbff7f56f336c2d5bac4031e8ede1e39e1d723854f3f7713b9d1ec37f7d3646

Download Submit
memory/5004-7-0x0000000010008000-0x000000001000A000-memory.dmp

Filesize
8KB

Download