96db10359bb6873fa460c8c59acbb033c00814d1130da12cf655b21be994ce6e

Analysis

max time kernel
96s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SURRENDERED BL-LL2517277SIN14_PDF.exe
Size

301KB
MD5

cb55b1c8b112717e074a933736d752ad
SHA1

7cd50bef2260873a9132fec9fd0b5a74917c78ae
SHA256

f67e87585159ebb0d655eb17852a6c506e238d10091f3e7c9c3952e1d7c5df43
SHA512

ad381a9898849b644efb4469563e8e295b3f87fe98c1f57c8395696c161aa915b129a8ff1c4136f3be00286470a23f4b492a5a5e488fa739d2d3c850865463e9
SSDEEP

3072:rS17XJiDxmJJtX+WI+uO2u6TszZsyCAe1lw6na8xm/gDO3std4h9v4/0nrgoaKM8:rGiO+p+uOx6TKsTFaWM97xxAlKUPYH

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2372	SURRENDERED BL-LL2517277SIN14_PDF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1612	2372	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SURRENDERED BL-LL2517277SIN14_PDF.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 4672	2372	SURRENDERED BL-LL2517277SIN14_PDF.exe	85
PID 2372 wrote to memory of 4672	2372	SURRENDERED BL-LL2517277SIN14_PDF.exe	85
PID 2372 wrote to memory of 4672	2372	SURRENDERED BL-LL2517277SIN14_PDF.exe	85

C:\Users\Admin\AppData\Local\Temp\SURRENDERED BL-LL2517277SIN14_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\SURRENDERED BL-LL2517277SIN14_PDF.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\SURRENDERED BL-LL2517277SIN14_PDF.exe
  "C:\Users\Admin\AppData\Local\Temp\SURRENDERED BL-LL2517277SIN14_PDF.exe"
  2⤵
  PID:4672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 908
  2⤵
  - Program crash
  PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2372 -ip 2372
1⤵
PID:3284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsp5F86.tmp\jrtnw.dll

Filesize
119KB

MD5
053e283c36f91d1f1537e5e156da3853

SHA1
502bd093ad89b93398d0ba046cd0f10f4be37069

SHA256
dd06f297b9966525c5b73e7bb63db9f02e3c9e7eab89c2980a292f35a7afeaf7

SHA512
27731297ce8ce34360b7aa19cfa3526453794b7475875f4312ed9289309e77e16ff48428a793359986662130c0c6dca33e174cc6c74c075666369b4b5f963513

Download Submit
memory/2372-6-0x0000000010000000-0x0000000010022000-memory.dmp

Filesize
136KB

Download
memory/2372-9-0x0000000010000000-0x0000000010022000-memory.dmp

Filesize
136KB

Download