4ae196c51c70c762f9cbf250af00414f93e8ccea2337a7595d5307a474858812

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22ef0ec1302427d5b197b30e545d0400.exe
Size

16.4MB
MD5

22ef0ec1302427d5b197b30e545d0400
SHA1

bc6b6278e436c56311bacc5e4476e5d4bab00692
SHA256

4ae196c51c70c762f9cbf250af00414f93e8ccea2337a7595d5307a474858812
SHA512

27e97250d50f8b31fcb5552826655bed92cc3a5f8334710fbb905b5a3f21dfc8e6c7e3202fa3982a21544247711fbc1f361224bb42fad28c91cf362df502c6d0
SSDEEP

393216:vMFPfYHcbXui8nRMeW3PBNEbdAgKvd5txx:vLLn5AgKvxX

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2208	2480	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22ef0ec1302427d5b197b30e545d0400.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2480	22ef0ec1302427d5b197b30e545d0400.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2480	22ef0ec1302427d5b197b30e545d0400.exe
2480	22ef0ec1302427d5b197b30e545d0400.exe
2480	22ef0ec1302427d5b197b30e545d0400.exe
2480	22ef0ec1302427d5b197b30e545d0400.exe
2480	22ef0ec1302427d5b197b30e545d0400.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2208	2480	22ef0ec1302427d5b197b30e545d0400.exe	31
PID 2480 wrote to memory of 2208	2480	22ef0ec1302427d5b197b30e545d0400.exe	31
PID 2480 wrote to memory of 2208	2480	22ef0ec1302427d5b197b30e545d0400.exe	31
PID 2480 wrote to memory of 2208	2480	22ef0ec1302427d5b197b30e545d0400.exe	31

C:\Users\Admin\AppData\Local\Temp\22ef0ec1302427d5b197b30e545d0400.exe
"C:\Users\Admin\AppData\Local\Temp\22ef0ec1302427d5b197b30e545d0400.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 208
  2⤵
  - Program crash
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d7a2c8d1

Filesize
1.4MB

MD5
4e240d276ef1a54d1b667d1f9eb88e21

SHA1
1e5b274fc533f472800c9277cba0790d93cda629

SHA256
fa8f7069956f8077648e58f45c29acb1bd6ab3dc8717329a58fd27d61e4c8972

SHA512
e91666bbd38c38b56269d95029aad986aee88172f65f7a41c24a6d11dc1ffc776cce84a51efbd52b61428f6bf1183e9ee9a09671c8cc499eb15cac2ec3ce0932

Download Submit
memory/2480-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2480-1-0x0000000000400000-0x00000000012D7000-memory.dmp

Filesize
14.8MB

Download
memory/2480-7-0x0000000075150000-0x0000000075D9A000-memory.dmp

Filesize
12.3MB

Download
memory/2480-8-0x0000000076EF0000-0x0000000077099000-memory.dmp

Filesize
1.7MB

Download
memory/2480-9-0x0000000000400000-0x00000000012D7000-memory.dmp

Filesize
14.8MB

Download
memory/2480-10-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download