d07c95e8960c8d0a4de79e97afbbb836d73b8869dda97917bce1d0fa4ef88195

Analysis

max time kernel
93s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c5b00311b9e7f3e749e8f2c2bb639ee32f2de89bedf1c572391dedcdd10765e.exe
Size

3.6MB
MD5

27d182a9df691a5f741a6eb59d8935d1
SHA1

c9286c22657823271940407dcf5a5aae8411aa52
SHA256

0c5b00311b9e7f3e749e8f2c2bb639ee32f2de89bedf1c572391dedcdd10765e
SHA512

7aa8b59ccd34fa335324f2536ccc849515f7745be0a2a9d58a762f525aa8a512aff3eb7e0068d472c1ac791943649bf8b5322971b61f926391d62e7fca16f7a8
SSDEEP

98304:PnvZSv4UrA2LCWu+DbnvrCHpzP9vePEjRs:PvcIWCW93ryzVWyRs

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

fhwpacgmpm.exe

pid	Process
4148	fhwpacgmpm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0c5b00311b9e7f3e749e8f2c2bb639ee32f2de89bedf1c572391dedcdd10765e.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0c5b00311b9e7f3e749e8f2c2bb639ee32f2de89bedf1c572391dedcdd10765e.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
3916	4148	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0c5b00311b9e7f3e749e8f2c2bb639ee32f2de89bedf1c572391dedcdd10765e.execmd.exefhwpacgmpm.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c5b00311b9e7f3e749e8f2c2bb639ee32f2de89bedf1c572391dedcdd10765e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fhwpacgmpm.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

fhwpacgmpm.exe

pid	Process
4148	fhwpacgmpm.exe
4148	fhwpacgmpm.exe
4148	fhwpacgmpm.exe
4148	fhwpacgmpm.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0c5b00311b9e7f3e749e8f2c2bb639ee32f2de89bedf1c572391dedcdd10765e.execmd.exe

description	pid	Process	procid_target
PID 1532 wrote to memory of 3556	1532	0c5b00311b9e7f3e749e8f2c2bb639ee32f2de89bedf1c572391dedcdd10765e.exe	82
PID 1532 wrote to memory of 3556	1532	0c5b00311b9e7f3e749e8f2c2bb639ee32f2de89bedf1c572391dedcdd10765e.exe	82
PID 1532 wrote to memory of 3556	1532	0c5b00311b9e7f3e749e8f2c2bb639ee32f2de89bedf1c572391dedcdd10765e.exe	82
PID 3556 wrote to memory of 4148	3556	cmd.exe	84
PID 3556 wrote to memory of 4148	3556	cmd.exe	84
PID 3556 wrote to memory of 4148	3556	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\0c5b00311b9e7f3e749e8f2c2bb639ee32f2de89bedf1c572391dedcdd10765e.exe
"C:\Users\Admin\AppData\Local\Temp\0c5b00311b9e7f3e749e8f2c2bb639ee32f2de89bedf1c572391dedcdd10765e.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /d /c bfumfapryop.bat 3415253388
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fhwpacgmpm.exe
    fhwpacgmpm.exe lhiupwwxyv.qzqv 3415253388
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4148
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 1280
      4⤵
      Program crash
      PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4148 -ip 4148
1⤵
PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bfumfapryop.bat

Filesize
148B

MD5
ec854669a99f2225aeb061f8acb99295

SHA1
92ce3afb081440487128a57babc92c28c12a8f14

SHA256
9e91e1c546f7351609a9083b10c25c80d9e661fcd93afc76ae1175f9b9a509cc

SHA512
b0795234fe951db26b8340d8c791b5371e4119c6aa1452360cbe0ecb8ffd523bb47c2ce0dd3e42f692cbee6ea59901a34dcdcb8f37ef66f47b195010eed8f422

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\etkewucoxpqy.qzqv

Filesize
33B

MD5
500ba63e2664798939744b8a8c9be982

SHA1
54743a77e4186cb327b803efb1ef5b3d4ac163ce

SHA256
4ebc21177ee9907f71a1641a0482603ced98e9d43389cac0ffb0b59f7343eeba

SHA512
9992b70de5867e2a00aff4f79c37ba71e827cbb104c192ebd4a553f91ae06a5b235f34e65d9d1145591c147e9e6726146cb92171945aa67b8f3294116a223fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\etkewucoxpsp.qzqv

Filesize
1B

MD5
69691c7bdcc3ce6d5d8a1361f22d04ac

SHA1
c63ae6dd4fc9f9dda66970e827d13f7c73fe841c

SHA256
08f271887ce94707da822d5263bae19d5519cb3614e0daedc4c7ce5dab7473f1

SHA512
253405e03b91441a6dd354a9b72e040068b1bfe10e83eb1a64a086c05525d8ccae2bf09130c624af50d55c3522a4fbb7c18cfc8dd843e5f4801d9ad2b5164b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\etkewucoxpth.qzqv

Filesize
3B

MD5
158b365b9eedcfaf539f5dedfd82ee97

SHA1
529f5d61ac99f60a8e473368eff1b32095a3e2bf

SHA256
39561f8af034137905f14ca7fd5a2c891bc12982f3f8ef2271e75e93433ffa90

SHA512
a1b231c2e6af432ee7df82e00d568819e12149af707d4c4fdd018b38cc4f9761062c5b7e497bd1b67e466b89e391520b88bf13f18c8b9ff646d82df740c05c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\etkewucoxpwm.qzqv

Filesize
5.2MB

MD5
a919729a18174fbbbc592801f8274939

SHA1
d2d18176e1a56e95449d48d0943030d94bc045f7

SHA256
6f639b042ecff76e4be8c4db5a36bb3ae783624b44df31628f7c52e4489d0f3d

SHA512
36aae913b019420149d53e2018de2585c6dff0c0fca927f05af030b396eed0833b120b0e84fc0bdf397f7eb0074f44fa85603175e5dcf08f437961ab3e5ce7d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fhwpacgmpm.exe

Filesize
5.2MB

MD5
2890f1847d5d5f8f0e0c036eb0e9d58c

SHA1
656306727fb15c4c43c40b57eb98c016fd1ec6fd

SHA256
f0280e1f5c2568e5fda9f911ab8341b47914a21d30f854136299f510dc843816

SHA512
233d5d07e98dc55c2d4d992f4d86b3bd19850db871e514569fc28e39b4cf8552f2225e38527341f85eb50a357b7781924185de163e540f270e3157545be6bda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lhiupwwxyv.qzqv

Filesize
641KB

MD5
1ea0da781118e89f5c20a128b63a8073

SHA1
09d4fa6febea8a38a158d2d79beaf0777256e38f

SHA256
ee90fd996b03780e5168d9176870cb41ec706644a342bd6a5d2734b009e9f195

SHA512
fd9d12f57e0890b0d19bb487068e7916888030417656022dc6e68de069338b2ed337da3683283c8bf16aba13e15d98d5935437ab9db5892e52c692c29ffc83ca

Download Submit
memory/4148-27-0x0000000016900000-0x0000000016901000-memory.dmp

Filesize
4KB

Download
memory/4148-23-0x000000003E200000-0x000000003E201000-memory.dmp

Filesize
4KB

Download
memory/4148-24-0x000000001FD00000-0x000000001FD01000-memory.dmp

Filesize
4KB

Download
memory/4148-25-0x0000000015200000-0x0000000015201000-memory.dmp

Filesize
4KB

Download
memory/4148-26-0x000000003C100000-0x000000003C101000-memory.dmp

Filesize
4KB

Download
memory/4148-28-0x000000000CC00000-0x000000000CC01000-memory.dmp

Filesize
4KB

Download