55f131be9f75250cc1291aafe4bc1593d460bcc71c62da5437aa14c894cf22f3

Analysis

max time kernel
94s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281.exe
Size

199KB
MD5

9915622262b1663ae9f851f664854000
SHA1

da9ae0706648eb10e1f5fbec1060f3eea8588ec6
SHA256

2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281
SHA512

d4a5583f1a531a292aece6f27f41b1abd37a31500f5def1459b5e801816bfddd1b1e6aea38f4682dd21a0e5e2ab17149d15b07242bd65fb8a6147e5247e5e61d
SSDEEP

3072:5NRCywDw1DiJkuQbojv4YQ/6Jfd9cV44zo7dkH6ChVLOWV49p6vfE2JvAEVXUOQn:5T4Dt+AxQnpe6HrLObovfTNAE2Ar+e2

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4264	2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2752	4264	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4264	2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281.exe
4264	2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281.exe
4264	2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281.exe
4264	2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281.exe
4264	2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281.exe
4264	2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281.exe
4264	2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281.exe
4264	2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 3940	4264	2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281.exe	82
PID 4264 wrote to memory of 3940	4264	2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281.exe	82
PID 4264 wrote to memory of 3940	4264	2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281.exe	82

C:\Users\Admin\AppData\Local\Temp\2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281.exe
"C:\Users\Admin\AppData\Local\Temp\2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Users\Admin\AppData\Local\Temp\2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281.exe
  "C:\Users\Admin\AppData\Local\Temp\2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281.exe"
  2⤵
  PID:3940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1028
  2⤵
  - Program crash
  PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4264 -ip 4264
1⤵
PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsnA6D0.tmp\gb7ir8nsaimu39b.dll

Filesize
149KB

MD5
0c44ee25d7c510783d118d3f76d88b3b

SHA1
ff537d185513d1a2daf91ca5679c79f3c8346e9a

SHA256
0b54c2abb6bee336adc1866f128591a6e0d5fa0f90333f6a6b57205b41196e20

SHA512
a13490eb75a842e15ae33cb167209e76dbfb7b1fe96530ca3bd41ff2a4318717b53a5e44bb1f0f2523f38888e142061019082ffb11bc633953a773b25e2fc587

Download Submit
memory/4264-4-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/4264-6-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download