Overview

overview

10

Static

static

3

876511719f...0b.exe

windows7-x64

10

876511719f...0b.exe

windows10-ltsc 2021-x64

3

876511719f...0b.exe

windows11-21h2-x64

3

Resubmissions

14-12-2024 23:05

241214-2211vsyneq 10

14-12-2024 23:01

241214-2zqr4synbj 10

Analysis

  • max time kernel
    143s
  • max time network
    145s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14-12-2024 23:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    876511719fda2fab0438ad29f9cc2f8fd684c1897a88d433f7e9c3f2e85eac0b.exe

  • Size

    749KB

  • MD5

    1eac61ee26db9242ba47437a027c47d4

  • SHA1

    3a465cb953a62c6c2dd2dc61c9f874c6ad7d8e8c

  • SHA256

    876511719fda2fab0438ad29f9cc2f8fd684c1897a88d433f7e9c3f2e85eac0b

  • SHA512

    b5966deb188881b3d1fd19f911601e451f2126b757c1341e41048cb8dbd990c411fa8815f0610217a1fd273d193cd3f9c2f199ecb02295d28ca6eeb429f88eb4

  • SSDEEP

    12288:ZwtTSWbZzmK1tl8gBVkj6VNQJsojXXKI50XZo/6N3VG:Zwt2WdzxfmVjXr6Zz

Score
3/10
discovery

Malware Config

Signatures

  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Modifies registry class 4 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\876511719fda2fab0438ad29f9cc2f8fd684c1897a88d433f7e9c3f2e85eac0b.exe
    "C:\Users\Admin\AppData\Local\Temp\876511719fda2fab0438ad29f9cc2f8fd684c1897a88d433f7e9c3f2e85eac0b.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:128
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 128 -s 496
      2⤵
      • Program crash
      PID:1780
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 128 -ip 128
    1⤵
      PID:4436
    • C:\Windows\system32\BackgroundTransferHost.exe
      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
      1⤵
      • Modifies registry class
      PID:4892
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1428
      • C:\Users\Admin\AppData\Local\Temp\876511719fda2fab0438ad29f9cc2f8fd684c1897a88d433f7e9c3f2e85eac0b.exe
        "C:\Users\Admin\AppData\Local\Temp\876511719fda2fab0438ad29f9cc2f8fd684c1897a88d433f7e9c3f2e85eac0b.exe"
        1⤵
        • System Location Discovery: System Language Discovery
        PID:736
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 500
          2⤵
          • Program crash
          PID:3056
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 736 -ip 736
        1⤵
          PID:4760
        • C:\Users\Admin\AppData\Local\Temp\876511719fda2fab0438ad29f9cc2f8fd684c1897a88d433f7e9c3f2e85eac0b.exe
          "C:\Users\Admin\AppData\Local\Temp\876511719fda2fab0438ad29f9cc2f8fd684c1897a88d433f7e9c3f2e85eac0b.exe"
          1⤵
            PID:380
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 200
              2⤵
              • Program crash
              PID:4068
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 380 -ip 380
            1⤵
              PID:4664
            • C:\Users\Admin\AppData\Local\Temp\876511719fda2fab0438ad29f9cc2f8fd684c1897a88d433f7e9c3f2e85eac0b.exe
              "C:\Users\Admin\AppData\Local\Temp\876511719fda2fab0438ad29f9cc2f8fd684c1897a88d433f7e9c3f2e85eac0b.exe"
              1⤵
                PID:3792
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 468
                  2⤵
                  • Program crash
                  PID:3460
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3792 -ip 3792
                1⤵
                  PID:1552
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
                  1⤵
                  • Modifies Internet Explorer settings
                  PID:3508
                • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
                  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\CheckpointLock.docx" /o ""
                  1⤵
                  • Checks processor information in registry
                  • Enumerates system info in registry
                  • Suspicious behavior: AddClipboardFormatListener
                  • Suspicious use of SetWindowsHookEx
                  PID:3484

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\d529440d-5821-46c0-a056-c14a168b80c4.down_data
                  Filesize

                  555KB

                  MD5

                  5683c0028832cae4ef93ca39c8ac5029

                  SHA1

                  248755e4e1db552e0b6f8651b04ca6d1b31a86fb

                  SHA256

                  855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

                  SHA512

                  aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
                  Filesize

                  212B

                  MD5

                  71bc04ad4cbf76259aabcbb7b3ecdeb3

                  SHA1

                  c8ad9bc6ccb561c75f4a9c41794b865f7ca5b61d

                  SHA256

                  48490fc507eace421e75b88c85064cd4ccbecc62699140965263501849f12bb3

                  SHA512

                  79de3af9202c5392246634b2985daf58a24aab983a68ff336c2f0e31f0431247ba20e541bd0ebe6b1b32a8b99dd5da2ffe3a4ed4dfbbae12e813df6b9b5ca572

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
                  Filesize

                  2B

                  MD5

                  f3b25701fe362ec84616a93a45ce9998

                  SHA1

                  d62636d8caec13f04e28442a0a6fa1afeb024bbb

                  SHA256

                  b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                  SHA512

                  98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                  Download Submit

                • memory/3484-9-0x00007FF8A2B30000-0x00007FF8A2B40000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3484-8-0x00007FF8A2B30000-0x00007FF8A2B40000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3484-10-0x00007FF8A2B30000-0x00007FF8A2B40000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3484-11-0x00007FF8A05A0000-0x00007FF8A05B0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3484-12-0x00007FF8A05A0000-0x00007FF8A05B0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3484-7-0x00007FF8A2B30000-0x00007FF8A2B40000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3484-6-0x00007FF8A2B30000-0x00007FF8A2B40000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3484-57-0x00007FF8A2B30000-0x00007FF8A2B40000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3484-56-0x00007FF8A2B30000-0x00007FF8A2B40000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3484-55-0x00007FF8A2B30000-0x00007FF8A2B40000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3484-54-0x00007FF8A2B30000-0x00007FF8A2B40000-memory.dmp

                  Filesize

                  64KB

                  Download