28c8678d4316f1bf61b5b7fc48f87aed9d0c5fc19c7b1ebd9bd8f481ac861dc1

Analysis

max time kernel
93s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

oo.exe
Size

242KB
MD5

f905085a630d00b01d514b663af54325
SHA1

9355bfd5c0d1fe2636c24c12da6783d964a9562e
SHA256

7d5ffe72101db06ec8ef98e2a4d698cb4a7a2c430210bef73b837fe856a5cc34
SHA512

92dba6c93446543d4148d3f86eed4f1d5ae5e36f73fa99975e01c619e87f465575b44244f8a35dfcdfed45382ea8cc3355468dcfc5a5e7db496d45b16134f8f9
SSDEEP

6144:HNeZm6BQtVdcgqeXfoq7fkrJGNevy73Ke787JhYKnusW0i:HNl6BreAq7+GNevyzKe7gYL/H

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4676	lycasyi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4032	4676	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lycasyi.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 4676	1808	oo.exe	83
PID 1808 wrote to memory of 4676	1808	oo.exe	83
PID 1808 wrote to memory of 4676	1808	oo.exe	83
PID 4676 wrote to memory of 1468	4676	lycasyi.exe	84
PID 4676 wrote to memory of 1468	4676	lycasyi.exe	84
PID 4676 wrote to memory of 1468	4676	lycasyi.exe	84

C:\Users\Admin\AppData\Local\Temp\oo.exe
"C:\Users\Admin\AppData\Local\Temp\oo.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\lycasyi.exe
  C:\Users\Admin\AppData\Local\Temp\lycasyi.exe C:\Users\Admin\AppData\Local\Temp\fekxmqbnse
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Users\Admin\AppData\Local\Temp\lycasyi.exe
    C:\Users\Admin\AppData\Local\Temp\lycasyi.exe C:\Users\Admin\AppData\Local\Temp\fekxmqbnse
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 672
    3⤵
    - Program crash
    PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4676 -ip 4676
1⤵
PID:3680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7s600mdth0ub3a

Filesize
213KB

MD5
2e6f0c560ca92dbefe06e9b54074bd38

SHA1
9dab2420af1440ebb6a2ed803c2ddf49774584c6

SHA256
8e4583acd5e0bd86fdab288c3a5cfbdf3b734b71c9b80dbabe6b2f47eb2b645c

SHA512
e7798fc4b488051be400a6887b2e7d8b72c6f29917f44ea83cf90e83e587e3af44e6da98e69d8a97d6ddbe01857f443fbf543bceec8c482edeab0d9e7f5db40b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fekxmqbnse

Filesize
5KB

MD5
69f7d3e1f535de654b4ff151a0f7e089

SHA1
ff384e1b0800e45f79809d2a78a2e78b2c5722b7

SHA256
09c5caefba71924f63566b2101a031572982cfe86ffbea47799a894635ab77e7

SHA512
8d8da962f58d03b14070c60f14e4e3e87ff542f266f670345f58b983d193d5426e6f9dc01db90f01dffb382fbac12650407697f9f6ec3d8cb10fc938ce368c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\lycasyi.exe

Filesize
4KB

MD5
b4ae0759295f61f4a798dbac502dbb5d

SHA1
754740cc5275e1f45d9e83ba8eaf0de46950d2b2

SHA256
1e5e59864f9e0f0d90aafcd403b9b915b77883e57cbf5803116adfe292d81b2e

SHA512
41486569ced8dc07eaa0693a1b42f3f597c1d3791745a29de62de1ef765e59e5006b0c6796f5ee387a75ee66497fc490620db3c2ef4f4e55476f2db2db228bef

Download Submit
memory/4676-8-0x0000000000570000-0x0000000000572000-memory.dmp

Filesize
8KB

Download