2252599383b4e54f400f12a0c23be17fecb82c33f225684086c33c518808e932

Analysis

max time kernel
94s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jeetss456352.exe
Size

214KB
MD5

dafccfe6911e74fd47cf1461e3580ed1
SHA1

b84783ab8d2c044c9a4cf2765831fd776f220c64
SHA256

8d203db46294994fba62e63ddaf99b53c5b8abf2e407f7ee516f5df1d44cc1af
SHA512

4093bbdb3f57b7dff3d6f5e699698c303c9a79cb74bba23778241ea3b8bd12e380ab034065a3f1ff306638346fce69dc8dbc4461983b3cc6c6a95e8a2386c4ab
SSDEEP

3072:qUJoFfWzzl+cSM9BPmuGky8vtGAxeVbzb0kA5nyq956rosqcqXMZdQLfl7Z2JwQo:qweEp9Nmj84AuTqNvGr3qbXrLX2CO4T

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3720	isktuabvmv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4160	3720	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jeetss456352.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isktuabvmv.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 3720	1876	jeetss456352.exe	83
PID 1876 wrote to memory of 3720	1876	jeetss456352.exe	83
PID 1876 wrote to memory of 3720	1876	jeetss456352.exe	83
PID 3720 wrote to memory of 4924	3720	isktuabvmv.exe	85
PID 3720 wrote to memory of 4924	3720	isktuabvmv.exe	85
PID 3720 wrote to memory of 4924	3720	isktuabvmv.exe	85

C:\Users\Admin\AppData\Local\Temp\jeetss456352.exe
"C:\Users\Admin\AppData\Local\Temp\jeetss456352.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Users\Admin\AppData\Local\Temp\isktuabvmv.exe
  "C:\Users\Admin\AppData\Local\Temp\isktuabvmv.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Users\Admin\AppData\Local\Temp\isktuabvmv.exe
    "C:\Users\Admin\AppData\Local\Temp\isktuabvmv.exe"
    3⤵
    PID:4924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 644
    3⤵
    - Program crash
    PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3720 -ip 3720
1⤵
PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\isktuabvmv.exe

Filesize
6KB

MD5
4debf3d4be3833c81372eab33bcc8f99

SHA1
3c01f72309070804bda00f0545ba92dc32635d36

SHA256
a5a20c3c5c6a4882e770da52b1a8d498b39fdbf549bffa6b594566d7f26c99a5

SHA512
1418bc4717718a6f2fbbf738cde04509b5a8dcefe430b9be0dde97551248551f136e5d7649d8ef415ce67507cbb2c4c7b3ac29824f6abb611a4f658f46a74451

Download Submit
C:\Users\Admin\AppData\Local\Temp\lrwrtr.wl

Filesize
5KB

MD5
b481fd4817e233972e39dd189f695aa6

SHA1
33c33dec6a53f11990002b97961c3e513e23a0c1

SHA256
c955f7c98bf61071eee2393596ff2e9c3555ba31b353daf5fc438b24fae7ad46

SHA512
77eb80bd3f63fd3997b934ff97d81124b778fbf1bc9cf45a664912b1289079c38adea8f7f03a98ecdb2dfc8ec3f347ddf90c8b91abdc6bdcae7a770cb0ec076c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovyicohnryx.es

Filesize
185KB

MD5
08367820ada06e975ed56b12d436485e

SHA1
44508235cd40156d2060bcd53b752e309d5332da

SHA256
650167bccb0aab8157bac4ff9553af5b9d75561252c3350eb930fd274f74a935

SHA512
0e022b1271ac873b332bf5864664e53e21d592c1c2c949247652d5311e42463a9b03193c3b6948a898bfb42b395ec898b865013322bff58033ff9a67d6a652c0

Download Submit
memory/3720-8-0x00000000006D0000-0x00000000006D2000-memory.dmp

Filesize
8KB

Download