c9549188a883c695f762d2af10e33868ce431ab96537bde6e81824364f5d4f89

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

S12GF803.exe
Size

252KB
MD5

6aeeb261a692fa9e104320c7247968ef
SHA1

96c1ef5d7f32c4701557aba801ddf192f19c163f
SHA256

4f6f954d067f1af2bf8caca9e7ea103d8dbfb7507514847b999328e108b456af
SHA512

04f189b93c29424f4c840484f19beefaf831952e62b47bc3f03699a9bf084990862638432371d029babcbe7d437f7ae6f91a166fc1b377932ab2d24a1f974bbb
SSDEEP

3072:/Nyah0mJh4IKLAtHeekOLYkX2Y5hpwdYfBiZVekqdz2wB1EcbTVdEuCPxbS3G549:/waqMYkmY57wdNZVLcqw8cbzP/F9

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3192	S12GF803.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4892	3192	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S12GF803.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 3880	3192	S12GF803.exe	83
PID 3192 wrote to memory of 3880	3192	S12GF803.exe	83
PID 3192 wrote to memory of 3880	3192	S12GF803.exe	83

C:\Users\Admin\AppData\Local\Temp\S12GF803.exe
"C:\Users\Admin\AppData\Local\Temp\S12GF803.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Local\Temp\S12GF803.exe
  "C:\Users\Admin\AppData\Local\Temp\S12GF803.exe"
  2⤵
  PID:3880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 896
  2⤵
  - Program crash
  PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3192 -ip 3192
1⤵
PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst8E77.tmp\gtrvk.dll

Filesize
5KB

MD5
3627e0a769af64650e5ce46db6bb0532

SHA1
e203eaa9b1ad5d324af6696f5d1a62cd58e3513a

SHA256
a5699137065d3f0f5a26372a17eecc76905599435d866608f10c38760eb43e52

SHA512
044cb6198c848e4edd870fc9a5647e6a4644753986f2557da0babb0c9004ca14031b93c4db92d84754a297619bb87bdb6f847a3887c037180df4603583b908d1

Download Submit
memory/3192-9-0x0000000003060000-0x0000000003062000-memory.dmp

Filesize
8KB

Download