f48a16e3da0c253c8d6e017129afab39e789b84acc445bba0cb47f1a79daa074

Analysis

max time kernel
94s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a328bc2d66baa94dc748b1a450a0ede9601ff9ccec5ff2cfd043e669383ba295.exe
Size

240KB
MD5

5c52be5501bfd96e7aa76bfa04b54e00
SHA1

83efb1f56aff4dd969222f6ffd747be0a6d7a072
SHA256

a328bc2d66baa94dc748b1a450a0ede9601ff9ccec5ff2cfd043e669383ba295
SHA512

fed8633986c845d02d1a4a791d23fd0c4850b70b5e9ad2f7a107b350a7fccc7b991c2c061dbd13efc7649bcf773d456eed068deaa7e56c25cfff19894096de20
SSDEEP

6144:HNeZmwyfaJ1I8cPNeraTn7t7OgwtQ5KzlQJzRRjaXNya5:HNlhCvI82jF7OPtQEUzRRu9ya5

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2152	agvoj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3804	2152	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a328bc2d66baa94dc748b1a450a0ede9601ff9ccec5ff2cfd043e669383ba295.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	agvoj.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2152	2160	a328bc2d66baa94dc748b1a450a0ede9601ff9ccec5ff2cfd043e669383ba295.exe	83
PID 2160 wrote to memory of 2152	2160	a328bc2d66baa94dc748b1a450a0ede9601ff9ccec5ff2cfd043e669383ba295.exe	83
PID 2160 wrote to memory of 2152	2160	a328bc2d66baa94dc748b1a450a0ede9601ff9ccec5ff2cfd043e669383ba295.exe	83
PID 2152 wrote to memory of 4756	2152	agvoj.exe	85
PID 2152 wrote to memory of 4756	2152	agvoj.exe	85
PID 2152 wrote to memory of 4756	2152	agvoj.exe	85

C:\Users\Admin\AppData\Local\Temp\a328bc2d66baa94dc748b1a450a0ede9601ff9ccec5ff2cfd043e669383ba295.exe
"C:\Users\Admin\AppData\Local\Temp\a328bc2d66baa94dc748b1a450a0ede9601ff9ccec5ff2cfd043e669383ba295.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\agvoj.exe
  C:\Users\Admin\AppData\Local\Temp\agvoj.exe C:\Users\Admin\AppData\Local\Temp\ggtxe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\agvoj.exe
    C:\Users\Admin\AppData\Local\Temp\agvoj.exe C:\Users\Admin\AppData\Local\Temp\ggtxe
    3⤵
    PID:4756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 560
    3⤵
    - Program crash
    PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2152 -ip 2152
1⤵
PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\agvoj.exe

Filesize
65KB

MD5
7e62ddeae0b2e64a1e2a2974d98a1c68

SHA1
133f1f1ab8d1c223556ca51e4295d190ba9d0a59

SHA256
58455bbff5636ff36755899c69ca4483f99a3fb0a7d5803cb8699d25e669f9e0

SHA512
94d3e72000b82d31c0c2401935108e33e5abfa92ab525ca0ddbe6084c300150125d9787df4fa0805501b8c2f7b1ebd37d2301731a9ea07a26f66498ddab30779

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggtxe

Filesize
5KB

MD5
7e1c1889c241520714b99a279389e6ad

SHA1
6475ee3bc756107ba2ac134dc90229cf30b0ec98

SHA256
aedb19f73791ee830083f8df7f4696e6876cc9cd73fb3927b7844d7122c32ec2

SHA512
1204c351142c12c3974e5bf5f3503b2ef09756a71cb4ab4905a4e180fbd8051e5b372f6e1cade1ea1d4bca3e511df64c996b0851b7919f69633da6e9c5c48c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\v3ig42xmsp4

Filesize
185KB

MD5
ecd0070d9b3e44f4fc6b891832486bf7

SHA1
1685f2b64e69ab8b6d9b12b2683c960d2e41b794

SHA256
bc87b335ceb2f903ecc2f983dfdecabf411c0b038546c8fc43a63cf9d8522d32

SHA512
e7ac8bb1a238789225f0d7a228af9f66cd80d1709096fb4ee9b6485e12d856fac42aeb60528a347402f57df2dc421c74cdd41af9c7736399bb36daa8f9d0bc74

Download Submit
memory/2152-8-0x00000000005E0000-0x00000000005E2000-memory.dmp

Filesize
8KB

Download