0742d441e028c5833d9da411c05e8494179d1ea34d1b7be02062664635eb9460

Analysis

max time kernel
91s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

doc22042119500.pdf.exe
Size

1.0MB
MD5

70f47b02d8f79ac207da3ee5d4eac29f
SHA1

a170afcbce17ab9471069728d88dc2a1f9229cd5
SHA256

3bea986bab8cae3a2a1f7ccb0cd948a4c72cd6ea55b7169948594f6c64f2f5ad
SHA512

39f2470c2f3b7865227777e5182d5c34660b247824dae39eced2800c9873e87380ca935b4fdd63221bd408c57cd43d46a56abd047b2effa9bed63f59a2f7e227
SSDEEP

24576:Gu6J33O0c+JY5UZ+XC0kGso6FamBSyrDRFCgWY:Iu0c++OCvkGs9Fam0ypWY

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
712	620	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	doc22042119500.pdf.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
620	doc22042119500.pdf.exe
620	doc22042119500.pdf.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
620	doc22042119500.pdf.exe
620	doc22042119500.pdf.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 3580	620	doc22042119500.pdf.exe	82
PID 620 wrote to memory of 3580	620	doc22042119500.pdf.exe	82
PID 620 wrote to memory of 3580	620	doc22042119500.pdf.exe	82

C:\Users\Admin\AppData\Local\Temp\doc22042119500.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\doc22042119500.pdf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\doc22042119500.pdf.exe"
  2⤵
  PID:3580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 696
  2⤵
  - Program crash
  PID:712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 620 -ip 620
1⤵
PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/620-11-0x0000000000AA0000-0x0000000000EA0000-memory.dmp

Filesize
4.0MB

Download