49e58e5dd3be1cb7249207a329c465ae65fa3099148b4e4e279afd88bc4b1fe0

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ec04966ef8901ac13aa603645b3197d.exe
Size

5.1MB
MD5

5ec04966ef8901ac13aa603645b3197d
SHA1

e5263e87abb62c10a7224b598ae905858c6000de
SHA256

49e58e5dd3be1cb7249207a329c465ae65fa3099148b4e4e279afd88bc4b1fe0
SHA512

0fb6c5fa4110a2abcc02d1f405b1cd7236778223b2865991baef05eeaf2314d7b57104fbd0bc0a5c263561e144434a654937b4c620c5960f83064fcf279b3d4d
SSDEEP

98304:8L1T/X3Xn/odDFr3urN2mPR1iGV1PxMNmXV7v:+vJrNNJgGV1Px+W9

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2068	2664	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ec04966ef8901ac13aa603645b3197d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2664	5ec04966ef8901ac13aa603645b3197d.exe
2664	5ec04966ef8901ac13aa603645b3197d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2068	2664	5ec04966ef8901ac13aa603645b3197d.exe	31
PID 2664 wrote to memory of 2068	2664	5ec04966ef8901ac13aa603645b3197d.exe	31
PID 2664 wrote to memory of 2068	2664	5ec04966ef8901ac13aa603645b3197d.exe	31
PID 2664 wrote to memory of 2068	2664	5ec04966ef8901ac13aa603645b3197d.exe	31

C:\Users\Admin\AppData\Local\Temp\5ec04966ef8901ac13aa603645b3197d.exe
"C:\Users\Admin\AppData\Local\Temp\5ec04966ef8901ac13aa603645b3197d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 232
  2⤵
  - Program crash
  PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d81e17be

Filesize
1.1MB

MD5
b3727466ec07a63846376921058eb8c2

SHA1
9d5bb92eb483453386ca6584156b1779b81d517a

SHA256
7288b5649ac5a71591da2e3e2dc8b6297160ba662f81d343cd59f271baee743e

SHA512
e49bc7f234bd9c3a9cf07a5b55c20b8a6297bec3882962ea7e314968f75dd5d0091398cedf2065eea8451d2ae4bfb554c7d32afc00e32475c62fe652c39c9227

Download Submit
memory/2664-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2664-1-0x000000005FF50000-0x000000005FF51000-memory.dmp

Filesize
4KB

Download
memory/2664-2-0x000000005FF40000-0x000000005FF41000-memory.dmp

Filesize
4KB

Download
memory/2664-3-0x0000000000400000-0x000000000092A000-memory.dmp

Filesize
5.2MB

Download
memory/2664-9-0x0000000076A10000-0x000000007765A000-memory.dmp

Filesize
12.3MB

Download
memory/2664-10-0x0000000077B10000-0x0000000077CB9000-memory.dmp

Filesize
1.7MB

Download
memory/2664-11-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2664-12-0x0000000000400000-0x000000000092A000-memory.dmp

Filesize
5.2MB

Download
memory/2664-13-0x0000000000400000-0x000000000092A000-memory.dmp

Filesize
5.2MB

Download