51513bbb6bf59812e0ac3421caf8ebfdeb8d5cf56c7bff6d0865c36f91f98b0d

Analysis

max time kernel
110s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51513bbb6bf59812e0ac3421caf8ebfdeb8d5cf56c7bff6d0865c36f91f98b0dN.exe
Size

1.2MB
MD5

ccb2b1c946c9455700f40cd46a4f1820
SHA1

3d86b523cfb5892f2821313526c14a9b486c840a
SHA256

51513bbb6bf59812e0ac3421caf8ebfdeb8d5cf56c7bff6d0865c36f91f98b0d
SHA512

bf18716bb5948b04f35ad3800edc3e63ed2a17c1eeabfa199ef2d38e3eeed2549b8b94554a02660b8c08d61bbf786c982fe1be09135be8487c02be5492a07fbc
SSDEEP

12288:EqOPajQUXXP8QvLWFx6Mo5rippDC7ee1hpls4Ey+YdHUCR:EnajQEPnvg6PhWDC750sJR

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2784	51513bbb6bf59812e0ac3421caf8ebfdeb8d5cf56c7bff6d0865c36f91f98b0dNmgr.exe

Loads dropped DLL 9 IoCs

pid	Process
2676	51513bbb6bf59812e0ac3421caf8ebfdeb8d5cf56c7bff6d0865c36f91f98b0dN.exe
2676	51513bbb6bf59812e0ac3421caf8ebfdeb8d5cf56c7bff6d0865c36f91f98b0dN.exe
2716	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2716	2784	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51513bbb6bf59812e0ac3421caf8ebfdeb8d5cf56c7bff6d0865c36f91f98b0dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51513bbb6bf59812e0ac3421caf8ebfdeb8d5cf56c7bff6d0865c36f91f98b0dNmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2676	51513bbb6bf59812e0ac3421caf8ebfdeb8d5cf56c7bff6d0865c36f91f98b0dN.exe
2676	51513bbb6bf59812e0ac3421caf8ebfdeb8d5cf56c7bff6d0865c36f91f98b0dN.exe
2676	51513bbb6bf59812e0ac3421caf8ebfdeb8d5cf56c7bff6d0865c36f91f98b0dN.exe
2676	51513bbb6bf59812e0ac3421caf8ebfdeb8d5cf56c7bff6d0865c36f91f98b0dN.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2784	2676	51513bbb6bf59812e0ac3421caf8ebfdeb8d5cf56c7bff6d0865c36f91f98b0dN.exe	30
PID 2676 wrote to memory of 2784	2676	51513bbb6bf59812e0ac3421caf8ebfdeb8d5cf56c7bff6d0865c36f91f98b0dN.exe	30
PID 2676 wrote to memory of 2784	2676	51513bbb6bf59812e0ac3421caf8ebfdeb8d5cf56c7bff6d0865c36f91f98b0dN.exe	30
PID 2676 wrote to memory of 2784	2676	51513bbb6bf59812e0ac3421caf8ebfdeb8d5cf56c7bff6d0865c36f91f98b0dN.exe	30
PID 2784 wrote to memory of 2716	2784	51513bbb6bf59812e0ac3421caf8ebfdeb8d5cf56c7bff6d0865c36f91f98b0dNmgr.exe	31
PID 2784 wrote to memory of 2716	2784	51513bbb6bf59812e0ac3421caf8ebfdeb8d5cf56c7bff6d0865c36f91f98b0dNmgr.exe	31
PID 2784 wrote to memory of 2716	2784	51513bbb6bf59812e0ac3421caf8ebfdeb8d5cf56c7bff6d0865c36f91f98b0dNmgr.exe	31
PID 2784 wrote to memory of 2716	2784	51513bbb6bf59812e0ac3421caf8ebfdeb8d5cf56c7bff6d0865c36f91f98b0dNmgr.exe	31

C:\Users\Admin\AppData\Local\Temp\51513bbb6bf59812e0ac3421caf8ebfdeb8d5cf56c7bff6d0865c36f91f98b0dN.exe
"C:\Users\Admin\AppData\Local\Temp\51513bbb6bf59812e0ac3421caf8ebfdeb8d5cf56c7bff6d0865c36f91f98b0dN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\51513bbb6bf59812e0ac3421caf8ebfdeb8d5cf56c7bff6d0865c36f91f98b0dNmgr.exe
  C:\Users\Admin\AppData\Local\Temp\51513bbb6bf59812e0ac3421caf8ebfdeb8d5cf56c7bff6d0865c36f91f98b0dNmgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 100
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\51513bbb6bf59812e0ac3421caf8ebfdeb8d5cf56c7bff6d0865c36f91f98b0dNmgr.exe

Filesize
112KB

MD5
c6edf04d9d8c1cc5a2dfb91434296eef

SHA1
bc485e5bdc8c881108a82706d20b6d66c610efd5

SHA256
6b1ef9cdf84789ecf8dd416fb4ac61b4edd879d74c21c20bc33f5576f8ba651e

SHA512
80091213469acf96c8a7cf65fa9d4b76a9f23fee8ce53588bf8dd3ef36b2df8c7bbdfe0b238f9313bd7a302e85bce403076e31f1fd34e6906b182f207ca0ddf1

Download Submit
memory/2676-1-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2676-8-0x0000000000310000-0x00000000003A6000-memory.dmp

Filesize
600KB

Download
memory/2676-11-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2784-10-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2784-19-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download