3a2e31f2844df5cb91eedbf24c0b93de4b0aa08525f733132c2bce0d7ab81acc

Resubmissions

21-12-2024 22:57

241221-2xpr2atjar 10

21-12-2024 20:29

241221-y9xfvsyngy 10

Analysis

max time kernel
1s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-12-2024 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bcbf1dce6780dbfb1b1ad1d86f25d4b7a50063be5b4640f8939085980c4e00c.exe
Size

214KB
MD5

da9914f2f681c7ef59293d3804c9133d
SHA1

49d23c8eac05f7c8af203f0b46f7d805fc4b1724
SHA256

1bcbf1dce6780dbfb1b1ad1d86f25d4b7a50063be5b4640f8939085980c4e00c
SHA512

3eaaf3ba1df0f3fef3141a3f2fb0e455620ffcf569dbe438d8a8a9fa2173c275897001f6ef52b18b138d5f88e9facc053f7e8a6751c655ee320842ee756f0615
SSDEEP

6144:qweEpobsxm+SEfyjP4P3yYZcfrFPWHFjp:bowkAwfrFPWH

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1520	hvufe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2264	1520	WerFault.exe	77

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1bcbf1dce6780dbfb1b1ad1d86f25d4b7a50063be5b4640f8939085980c4e00c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hvufe.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 1520	4136	1bcbf1dce6780dbfb1b1ad1d86f25d4b7a50063be5b4640f8939085980c4e00c.exe	77
PID 4136 wrote to memory of 1520	4136	1bcbf1dce6780dbfb1b1ad1d86f25d4b7a50063be5b4640f8939085980c4e00c.exe	77
PID 4136 wrote to memory of 1520	4136	1bcbf1dce6780dbfb1b1ad1d86f25d4b7a50063be5b4640f8939085980c4e00c.exe	77
PID 1520 wrote to memory of 432	1520	hvufe.exe	79
PID 1520 wrote to memory of 432	1520	hvufe.exe	79
PID 1520 wrote to memory of 432	1520	hvufe.exe	79

C:\Users\Admin\AppData\Local\Temp\1bcbf1dce6780dbfb1b1ad1d86f25d4b7a50063be5b4640f8939085980c4e00c.exe
"C:\Users\Admin\AppData\Local\Temp\1bcbf1dce6780dbfb1b1ad1d86f25d4b7a50063be5b4640f8939085980c4e00c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Users\Admin\AppData\Local\Temp\hvufe.exe
  "C:\Users\Admin\AppData\Local\Temp\hvufe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\hvufe.exe
    "C:\Users\Admin\AppData\Local\Temp\hvufe.exe"
    3⤵
    PID:432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 564
    3⤵
    - Program crash
    PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1520 -ip 1520
1⤵
PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bczbqkdqvf.ucy

Filesize
5KB

MD5
4c64f48d9a3284d80901d9b31f9a040b

SHA1
6677b5838c9aee5ffb8ff8072111211659ff1415

SHA256
4eb744492572a57a1ffc93da1aa9a9e0874f1c2f1175217597c0106034abaff3

SHA512
16b81364b0ae3549f5290622fbaf2b4b53284d3153cceb012eefe0da68cb1d6766f380e6c7432e52c54baa49b85158e6e2ba36b04d5b9bb4cd36a88d4bb23950

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebiiktbpkcr.ii

Filesize
185KB

MD5
b7aa910621411a82fff3524a3a11b122

SHA1
7bbf74d760c0ff094c3016b8c8df59347d52d48a

SHA256
ed61b0a9c4db04261e0a003815f8f6704039d484c2b04648f5dc8ec059b799d0

SHA512
ecec8babba619f7d86f745f7def0b9cefb1dc12bd2fae8870954079c28e9a80ac5f8521af735c2430671279488223729ed76ec8102fd948907cada74e9ad61ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\hvufe.exe

Filesize
6KB

MD5
c20ebe6762bf3ff431b6db1e4fa70a95

SHA1
85bbc70e270515b53c26966a720249b4559b9835

SHA256
bc74795639b62eb7a3958ad888e682031fa055f610db1739e51efa057adbf308

SHA512
fc42e76bfe145d52cd3237160cd0d5882ad678c50f009304aa95a4b83fd0fc203169d2325aa20ffc6dcf9b379dad514dc7fbd6f9d0de1395ad22fe71011b5ab6

Download Submit
memory/1520-7-0x0000000000AD0000-0x0000000000AD2000-memory.dmp

Filesize
8KB

Download