3a2e31f2844df5cb91eedbf24c0b93de4b0aa08525f733132c2bce0d7ab81acc

Resubmissions

21-12-2024 22:57

241221-2xpr2atjar 10

21-12-2024 20:29

241221-y9xfvsyngy 10

Analysis

max time kernel
58s
max time network
92s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-12-2024 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe
Size

349KB
MD5

02a41eb01d841ddffe402fcfbb73bd0e
SHA1

932bdc88df3e0c3d0747ec3a53b9aaaf7365b88b
SHA256

0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca
SHA512

c6f42a2f012e320ffdb435e129bf2ab2b62bcea7af20ac10d60ccb11239ef02324845f4a74d2868a70db2715fe6dc9ff7e7c4a789e1bbdaaf3bbef07166e1773
SSDEEP

6144:FweEwTKu1gRtv6cWGqV/9zYTyOpMKbsAJRv31M0E2Jt:Mv6cxqV/GGOqKoAPv31M0/

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3684	jazvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4004	3684	WerFault.exe	77

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jazvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3780 wrote to memory of 3684	3780	0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe	77
PID 3780 wrote to memory of 3684	3780	0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe	77
PID 3780 wrote to memory of 3684	3780	0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe	77
PID 3684 wrote to memory of 1604	3684	jazvc.exe	79
PID 3684 wrote to memory of 1604	3684	jazvc.exe	79
PID 3684 wrote to memory of 1604	3684	jazvc.exe	79

C:\Users\Admin\AppData\Local\Temp\0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe
"C:\Users\Admin\AppData\Local\Temp\0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Users\Admin\AppData\Local\Temp\jazvc.exe
  "C:\Users\Admin\AppData\Local\Temp\jazvc.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Users\Admin\AppData\Local\Temp\jazvc.exe
    "C:\Users\Admin\AppData\Local\Temp\jazvc.exe"
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 492
    3⤵
    - Program crash
    PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3684 -ip 3684
1⤵
PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jazvc.exe

Filesize
5KB

MD5
3c7874bebc12054686a69405bbf37d0b

SHA1
6a8054b9610e863eb76eb07c2b17695fc2d68b17

SHA256
ba5a34d1642ab08089790649f79121542bd59850a5be0bc10761d31bc9fa5517

SHA512
1fb9703c94f7fed61f45713e2df3623267e4e03aba82c85386f290a62350e1f953435f1093d94888174eac0dac34ad82115ce9e39a61da580b4cef05e849a0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\prwmgrrucpx.tk

Filesize
185KB

MD5
3e68446ee827659a54689c739b5b8df7

SHA1
54fb7a3f640d405f96f362452eb8dc312b57a539

SHA256
f9659fed6df556d783c9cc34186b9c6e607c2123b8835d884dea8d6f92326878

SHA512
7f29e1d8cec74634c7491500f0da45e656d35a9ce01800e15a33c07fc9a69f36bdd8f8a2ff4e132e237ec75e71d46b45677d4d5da3213622365279acb606ac2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vinztiozf.ut

Filesize
5KB

MD5
9a1822801cfb30d974022d7e578bbe0f

SHA1
63094d8d3ea74e7831702d7ef0abf02c2fcca554

SHA256
39259efed3713a0f0840da9c7472792f11577b7e15cddb8976f9f75089be86b4

SHA512
448424a790df42901727c042c21981613dd5effb284004a170a65cce624038162a776f5c08ff88aa0a7c56de5aa1881fd737ea7e5c1be31719e19e3613206447

Download Submit
memory/3684-7-0x0000000000AC0000-0x0000000000AC2000-memory.dmp

Filesize
8KB

Download