Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 14:39
Static task
static1
Behavioral task
behavioral1
Sample
4f07388498049864f303bb0790b1ba03.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
General
-
Target
4f07388498049864f303bb0790b1ba03.exe
-
Size
1.3MB
-
MD5
4f07388498049864f303bb0790b1ba03
-
SHA1
9868a20be451246e387beb5b4dd87522e5b05a60
-
SHA256
7cd155fa3550db2823a75ae6df1a2bec3ae714c5e53a536b7db955d92122af8c
-
SHA512
47e13edf005e8f5dc633b86adc5ab2d0631e5b6347990896b6d8857540993a9face0277be534c7607a1ded3d40bc38ec3b4a8cbc1a39d53f74b5ac69db8dacdb
-
SSDEEP
24576:TCukdjTqJY6OadMTAcTXf0IH7fMOqFW3n5A4c0njLJOaSOk469+:TcHqJDBM3MqbpcujMa/PK+
Score
7/10
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aswin.vbs 4f07388498049864f303bb0790b1ba03.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4892 2128 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4f07388498049864f303bb0790b1ba03.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2128 4f07388498049864f303bb0790b1ba03.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2128 4f07388498049864f303bb0790b1ba03.exe Token: SeDebugPrivilege 2128 4f07388498049864f303bb0790b1ba03.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2128 wrote to memory of 4892 2128 4f07388498049864f303bb0790b1ba03.exe 31 PID 2128 wrote to memory of 4892 2128 4f07388498049864f303bb0790b1ba03.exe 31 PID 2128 wrote to memory of 4892 2128 4f07388498049864f303bb0790b1ba03.exe 31 PID 2128 wrote to memory of 4892 2128 4f07388498049864f303bb0790b1ba03.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f07388498049864f303bb0790b1ba03.exe"C:\Users\Admin\AppData\Local\Temp\4f07388498049864f303bb0790b1ba03.exe"1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 6162⤵
- Program crash
PID:4892
-