Analysis
-
max time kernel
94s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 11:50
Static task
static1
Behavioral task
behavioral1
Sample
Order Nr U764D.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Order Nr U764D.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
nnmdtjq.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
nnmdtjq.exe
Resource
win10v2004-20241007-en
General
-
Target
Order Nr U764D.exe
-
Size
255KB
-
MD5
04a169e7e5c9ea7a92a2ab3debf63f41
-
SHA1
c1b35c61e8ee1382f7f83c182ccadf4bac6be2e8
-
SHA256
afc6417a1f71fe5406d149c95b046b997a99421f92f4fb8398908b73675c2012
-
SHA512
c5c932f02ae2f6ad6a67418a3302356fde44fa194eb9f6d02e6c150865fd9b87892187bf3e6aa379e9caea90892a8238b9ac3925e4e77444a2cfaa81dcf517fb
-
SSDEEP
6144:mbE/HUbWRhd2L+uUgXCafRcIVqvP5xGKO1B3kqg4:mb/EhS33cIVqZAKUXp
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2244 nnmdtjq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5036 2244 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Order Nr U764D.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnmdtjq.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4900 wrote to memory of 2244 4900 Order Nr U764D.exe 85 PID 4900 wrote to memory of 2244 4900 Order Nr U764D.exe 85 PID 4900 wrote to memory of 2244 4900 Order Nr U764D.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order Nr U764D.exe"C:\Users\Admin\AppData\Local\Temp\Order Nr U764D.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\nnmdtjq.exe"C:\Users\Admin\AppData\Local\Temp\nnmdtjq.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 5363⤵
- Program crash
PID:5036
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2244 -ip 22441⤵PID:1792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5b472438e8c315aa6af34d23e91d6b0a7
SHA15f3c21d6e3da172c95039f8d78ef3d9887ba287d
SHA256fd25e44e4e65785d90081fafe4a1ef3629b41a9d37acb833460e789f9e9a921e
SHA51276e6b57bb44bf7cbdca74f6fead456c3b50680fb77c1573d2967513002d05bae2509166de8c7946375ce3da139e2ee04cd0c78f9e3d46801e5f170c73f0c06fd
-
Filesize
59KB
MD58b5d0587ce1121389864bdcf9559d294
SHA12b903d531834992e37fab920d7b000187a9833bc
SHA256f57122b7b5a7eff1b245080a876201adfe42eefa299d30dfc140f0427e139285
SHA51279e92611bab464b6c56f6fb7da20d688a6d0852f9515eb68065ddfca71a6d507f591fd8e6c7a7696b025f8d1341953b920c4abd6b170f34cc6c173fc50d72f6a
-
Filesize
185KB
MD582c6372659af5de6f973de4939e76030
SHA17e88829c2585ffac7531d6e33a0778cef45d75c8
SHA256766b75812ff45f89b27284d5371aa5afc14dd84326a362de173e40f8c919a822
SHA512ab5fd72c8a41183206d365b409ccf79fe6752319e0b55e440b34f84a258eb91983dd5bcaf3cfe36e9a695bf5e5679a9cea57f998b951b782458c67b4afcddc77