1ce5193f8c40de6f403487483ac4bab962e5bfe73a76b3f5c4608c0bd9c9f20a

Analysis

max time kernel
93s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7084_00_WPG_20211716.exe
Size

630KB
MD5

c438a205d0a5c285ac98f558ee669dfc
SHA1

1c11cdda027a795b929d4876d04cc2c27c89219b
SHA256

e04c2819db3610dc0498ae022644d1b2ab06927cc4fadf23b200af70b551d6d2
SHA512

692c32154133d1682e756379b83440c74a78e8bfb00ec6f3b342d1eb3cd74c5e511950ba5342ce08f5d5a5727c6ba86fd47a66c27cefa54ab2f93a8ce5a2925c
SSDEEP

12288:KUNPWZCOO2120vc6r9o/gvb5zWeLlor+d7UuB45iEbgXP:KUNap7E6poIvdWeh5j45iP

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
436	7084_00_WPG_20211716.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2232	436	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7084_00_WPG_20211716.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 3004	436	7084_00_WPG_20211716.exe	83
PID 436 wrote to memory of 3004	436	7084_00_WPG_20211716.exe	83
PID 436 wrote to memory of 3004	436	7084_00_WPG_20211716.exe	83

C:\Users\Admin\AppData\Local\Temp\7084_00_WPG_20211716.exe
"C:\Users\Admin\AppData\Local\Temp\7084_00_WPG_20211716.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:436
- C:\Users\Admin\AppData\Local\Temp\7084_00_WPG_20211716.exe
  "C:\Users\Admin\AppData\Local\Temp\7084_00_WPG_20211716.exe"
  2⤵
  PID:3004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 920
  2⤵
  - Program crash
  PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 436 -ip 436
1⤵
PID:3672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsp9E64.tmp\nibn.dll

Filesize
355KB

MD5
2903025272487bdafaac262605b15219

SHA1
c9175643f7ee479e45cb07a475d6ed2570e5fd3e

SHA256
729a24f2784fd7f9f02f9696e692f629370a150a1ed5e47b74efa2b0b5bafd72

SHA512
d9d0826386d3ce95f94269754a65b2bb37571b895e67df7a9aa426e46965cf393418abf030ba6a1b9e3de020609d598f821aac7c150e339f12cfc112ee1d4bd3

Download Submit
memory/436-8-0x0000000074C87000-0x0000000074C89000-memory.dmp

Filesize
8KB

Download