aa7ab4157c0ea04bfff754a8427eddf57cc270d8cb7b01752cc070c71ac7bdd8

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37fc27ae593c57c90608af9929d7ade4fc5924ec4e795c445c4bf8a5a1bf8585.exe
Size

225KB
MD5

3359916b838254bede2336070d99b6e5
SHA1

ae40ca0d6b91624cd8d9ef1b30e1ce2338c3309f
SHA256

37fc27ae593c57c90608af9929d7ade4fc5924ec4e795c445c4bf8a5a1bf8585
SHA512

989e405e72f4be4abcca21e8b8cb84b37165e00a88a13f3186801f0f64be8c6a7e70d069e69dfb58f71622a6b41b5c9a93d20279e4a3c580f3e2f488d59a7406
SSDEEP

3072:qUJoFfWzzl+cSM2wPddXssJXKAI95ibwrhlikpXbeK3eMmR6M3vcJLSmKqcHKrF+:qweEp2KjV5IDiErh7bNmv0JLlcHKrF+T

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4960	xxrkypy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4128	4960	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37fc27ae593c57c90608af9929d7ade4fc5924ec4e795c445c4bf8a5a1bf8585.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xxrkypy.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 4960	4536	37fc27ae593c57c90608af9929d7ade4fc5924ec4e795c445c4bf8a5a1bf8585.exe	83
PID 4536 wrote to memory of 4960	4536	37fc27ae593c57c90608af9929d7ade4fc5924ec4e795c445c4bf8a5a1bf8585.exe	83
PID 4536 wrote to memory of 4960	4536	37fc27ae593c57c90608af9929d7ade4fc5924ec4e795c445c4bf8a5a1bf8585.exe	83
PID 4960 wrote to memory of 1364	4960	xxrkypy.exe	84
PID 4960 wrote to memory of 1364	4960	xxrkypy.exe	84
PID 4960 wrote to memory of 1364	4960	xxrkypy.exe	84

C:\Users\Admin\AppData\Local\Temp\37fc27ae593c57c90608af9929d7ade4fc5924ec4e795c445c4bf8a5a1bf8585.exe
"C:\Users\Admin\AppData\Local\Temp\37fc27ae593c57c90608af9929d7ade4fc5924ec4e795c445c4bf8a5a1bf8585.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Users\Admin\AppData\Local\Temp\xxrkypy.exe
  "C:\Users\Admin\AppData\Local\Temp\xxrkypy.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\xxrkypy.exe
    "C:\Users\Admin\AppData\Local\Temp\xxrkypy.exe"
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 536
    3⤵
    - Program crash
    PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4960 -ip 4960
1⤵
PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\uygpu.qh

Filesize
5KB

MD5
8e97c83dc389c1fa5dc9cdceacf4d4b5

SHA1
4c143609bfea2efba4aedcdc7e31fc53e1ecd94c

SHA256
008753e08eb498464a40205664506c9f18098b67fbcabafd873aeded7ad44425

SHA512
fe99141853e49ef0a1d893667770f26ea13c344dc6b7a43cbc23cd441a8fdbdd704a25dcfe7533c65792c8a1bc93f792a460490fbf79fe465dd528244f59e415

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzqdeuvsss.y

Filesize
185KB

MD5
000956d9b032dd95819bf1da8acdfa35

SHA1
cc84b73cbca09be962fc20203017706459f757a3

SHA256
eb97119a88606e5e8cdae66a53b8fe44c3143b0f629ea54e4ca0103aeb121535

SHA512
d6dedd8852bd63f8eef55c7070fbd851c58d647be359a005bf801dc702c34abafc2275e9c28371431967763d948b95328a1cee94fb7652bf832cea2a2651aebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxrkypy.exe

Filesize
5KB

MD5
818e4839cf473064fde652fb001fcce6

SHA1
b051185eddc6992bd0b4092e338ed067487af57a

SHA256
72eefcdcbb8c9510a83e9ce80810d84688416ede5d4041aee4944f04b7cb903b

SHA512
9b8aa6a9ef6d125f80ef555429d45e970f873440d95ac8f687a2ff782d46fdf71c8b66d351010346b989fbeb74f815e96b774a6c463aa9e974399e9a67e50c06

Download Submit
memory/4960-7-0x00000000009C0000-0x00000000009C2000-memory.dmp

Filesize
8KB

Download