ac1538b086450db655a1b965d83645e46e51a1b6ce9e3f6f106503a83eeb41f8

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac1538b086450db655a1b965d83645e46e51a1b6ce9e3f6f106503a83eeb41f8.exe
Size

653KB
MD5

ec3be31f1140a8570a20b1833a7e563a
SHA1

21f55b0c6ca0052daa3d6ab2b0c7cec380fa9069
SHA256

ac1538b086450db655a1b965d83645e46e51a1b6ce9e3f6f106503a83eeb41f8
SHA512

51eb5c5de0799ee7f080e9267b9093a55107aeca6bfa46cf3ff24d11f820eeea2e67ede7e7e96462cfa1074350f852e43065a1daa4efa3f1361212b986064988
SSDEEP

12288:T8MxLli5Dqsy4Kx7EkPdBdtueuu0Wdbcx07TBkezAQMGk+uU6qHdFEv:T8MHi5DuLtdBfLpk5QMGKTsdFEv

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2520	2132	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac1538b086450db655a1b965d83645e46e51a1b6ce9e3f6f106503a83eeb41f8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2520	2132	ac1538b086450db655a1b965d83645e46e51a1b6ce9e3f6f106503a83eeb41f8.exe	31
PID 2132 wrote to memory of 2520	2132	ac1538b086450db655a1b965d83645e46e51a1b6ce9e3f6f106503a83eeb41f8.exe	31
PID 2132 wrote to memory of 2520	2132	ac1538b086450db655a1b965d83645e46e51a1b6ce9e3f6f106503a83eeb41f8.exe	31
PID 2132 wrote to memory of 2520	2132	ac1538b086450db655a1b965d83645e46e51a1b6ce9e3f6f106503a83eeb41f8.exe	31

C:\Users\Admin\AppData\Local\Temp\ac1538b086450db655a1b965d83645e46e51a1b6ce9e3f6f106503a83eeb41f8.exe
"C:\Users\Admin\AppData\Local\Temp\ac1538b086450db655a1b965d83645e46e51a1b6ce9e3f6f106503a83eeb41f8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 160
  2⤵
  - Program crash
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2132-0-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2132-1-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download