3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe
Size

2.3MB
MD5

730a8f0e0a80be36bf9ba0e6cc839e77
SHA1

ceefe9311b024144e5ea3af32b4f33a48f90fa2f
SHA256

3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31
SHA512

c83849f9f8cf0407fbbe3f300660e907122f21bc3b554d1d372e2b408be3e9adb560e27b5fd8473abadb5bc8544a779f91d7437e1140cc1e8588773cc1a8c705
SSDEEP

49152:y4XP96ykubgOg0ETAVlCOZ2vz9/HQi+Ty5:l9jbghcCi2vzxwi+Ty

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Remaining.vbs	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe

Executes dropped EXE 1 IoCs

pid	Process
4672	build3.exe

Loads dropped DLL 6 IoCs

pid	Process
2068	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe
5772	WerFault.exe
5772	WerFault.exe
5772	WerFault.exe
5772	WerFault.exe
5772	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4740	2068	WerFault.exe	29
5772	4672	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2068	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe
4672	build3.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe
Token: SeDebugPrivilege	2068	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe
Token: SeDebugPrivilege	4672	build3.exe
Token: SeDebugPrivilege	4672	build3.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 4672	2068	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe	30
PID 2068 wrote to memory of 4672	2068	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe	30
PID 2068 wrote to memory of 4672	2068	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe	30
PID 2068 wrote to memory of 4672	2068	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe	30
PID 2068 wrote to memory of 4740	2068	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe	31
PID 2068 wrote to memory of 4740	2068	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe	31
PID 2068 wrote to memory of 4740	2068	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe	31
PID 2068 wrote to memory of 4740	2068	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe	31
PID 4672 wrote to memory of 5772	4672	build3.exe	32
PID 4672 wrote to memory of 5772	4672	build3.exe	32
PID 4672 wrote to memory of 5772	4672	build3.exe	32
PID 4672 wrote to memory of 5772	4672	build3.exe	32

C:\Users\Admin\AppData\Local\Temp\3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe
"C:\Users\Admin\AppData\Local\Temp\3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\build3.exe
  "C:\Users\Admin\AppData\Local\Temp\build3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 616
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:5772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 856
  2⤵
  - Program crash
  PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\build3.exe

Filesize
1.1MB

MD5
4768155f1d0f3ec4a085de7900913e24

SHA1
46ee283b4024851436bf77abd108642220771d02

SHA256
6116f7621822553a694dfe9e803d80c15a19744f8907c831f2a5c166819bf982

SHA512
d7d40e66f28336e2d476418eb348d016250c93452dddd4d11bd4fc56de6ef65bc1b374887f552804d430be189af8e32307ebc5f931eed11ae790dab16b644c13

Download Submit
memory/2068-0-0x000000007497E000-0x000000007497F000-memory.dmp

Filesize
4KB

Download
memory/2068-1-0x0000000000350000-0x00000000005B0000-memory.dmp

Filesize
2.4MB

Download
memory/2068-2-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/2068-3-0x0000000004DC0000-0x0000000004FB8000-memory.dmp

Filesize
2.0MB

Download
memory/2068-4-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-17-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-5-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-27-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-41-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-7-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-9-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-11-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-15-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-19-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-21-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-25-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-23-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-29-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-39-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-57-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-68-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-65-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-63-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-61-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-59-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-56-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-53-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-51-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-49-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-47-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-45-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-43-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-37-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-35-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-33-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-31-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-13-0x0000000004DC0000-0x0000000004FB2000-memory.dmp

Filesize
1.9MB

Download
memory/2068-1078-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/2068-1080-0x0000000002150000-0x000000000219C000-memory.dmp

Filesize
304KB

Download
memory/2068-1079-0x0000000005390000-0x00000000054FA000-memory.dmp

Filesize
1.4MB

Download
memory/2068-1081-0x000000007497E000-0x000000007497F000-memory.dmp

Filesize
4KB

Download
memory/2068-1082-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/2068-1089-0x0000000005500000-0x0000000005554000-memory.dmp

Filesize
336KB

Download
memory/2068-2173-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/4672-1093-0x00000000003C0000-0x00000000004D8000-memory.dmp

Filesize
1.1MB

Download
memory/4672-1094-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/4672-1095-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/4672-1096-0x0000000004B70000-0x0000000004C5E000-memory.dmp

Filesize
952KB

Download
memory/4672-2172-0x00000000046D0000-0x0000000004730000-memory.dmp

Filesize
384KB

Download
memory/4672-2171-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/4672-2174-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/4672-2180-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download