8db1d8b3a8eb2032f2ee904c2cfb19f81bdf51f35f1aa479b1499a22f33ccb9a

Analysis

max time kernel
94s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f709663edaef8f4578cca9fa6de27c39e7748350c4d737182380a041c51dba2e.exe
Size

241KB
MD5

f93308a9428065a3ff3d75c40d64de09
SHA1

d4d42dea5dd2047d5df137c2e5fcb9aed7c58218
SHA256

f709663edaef8f4578cca9fa6de27c39e7748350c4d737182380a041c51dba2e
SHA512

dc38a57fd1dffdf72ee2b5a90006790e7a55f6bca22c08215eb007e582513964dcedbaa8fe3a5676a2cf5d708a429b1bbdd0c00c636cbf27d52e9cccde2890c2
SSDEEP

6144:HNeZmxExGrK6smi9FnGg4gZ6+TzLg0tWtowfvlAv4+OIVR:HNlxEGrVHkGgXkSzLz+owFAvCq

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4068	gvwpfsvx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3632	4068	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvwpfsvx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f709663edaef8f4578cca9fa6de27c39e7748350c4d737182380a041c51dba2e.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 4068	5012	f709663edaef8f4578cca9fa6de27c39e7748350c4d737182380a041c51dba2e.exe	83
PID 5012 wrote to memory of 4068	5012	f709663edaef8f4578cca9fa6de27c39e7748350c4d737182380a041c51dba2e.exe	83
PID 5012 wrote to memory of 4068	5012	f709663edaef8f4578cca9fa6de27c39e7748350c4d737182380a041c51dba2e.exe	83
PID 4068 wrote to memory of 2972	4068	gvwpfsvx.exe	84
PID 4068 wrote to memory of 2972	4068	gvwpfsvx.exe	84
PID 4068 wrote to memory of 2972	4068	gvwpfsvx.exe	84

C:\Users\Admin\AppData\Local\Temp\f709663edaef8f4578cca9fa6de27c39e7748350c4d737182380a041c51dba2e.exe
"C:\Users\Admin\AppData\Local\Temp\f709663edaef8f4578cca9fa6de27c39e7748350c4d737182380a041c51dba2e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Users\Admin\AppData\Local\Temp\gvwpfsvx.exe
  C:\Users\Admin\AppData\Local\Temp\gvwpfsvx.exe C:\Users\Admin\AppData\Local\Temp\uhsrada
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Users\Admin\AppData\Local\Temp\gvwpfsvx.exe
    C:\Users\Admin\AppData\Local\Temp\gvwpfsvx.exe C:\Users\Admin\AppData\Local\Temp\uhsrada
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 696
    3⤵
    - Program crash
    PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4068 -ip 4068
1⤵
PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gvwpfsvx.exe

Filesize
5KB

MD5
7736fb3049e387bf3b1c1a45dab8b94a

SHA1
d6d7bb9087a9900c824fea643e6e84aed3a62cff

SHA256
a53f89fbe86157a1979d0db0748e39d4785666668bb6372156c8724492112ca5

SHA512
5c022f1ada7c8f75f123789a7dae6ae12329641e7cbc7884f1967aa600b89daf2e37eeaef9e0af33c75dd33f424525211de061b6764892b59e7cd5528f91a570

Download Submit
C:\Users\Admin\AppData\Local\Temp\uhsrada

Filesize
5KB

MD5
c0cffc798da9e392003e1cca2edd4011

SHA1
45eeb3a41ad0de57deee757b77139d9203c30a43

SHA256
a34a5545eedeb20a2e252b02fa2de89831c2644ea2d46a7313d885b0c107fd9a

SHA512
a8d37b395ad70119d00b4cd84aeb3904e4e89403c27d352f20b13aa38772c976f784fc1f7842d39c9a2403b8889c4eb507fe42f8e27d1ae3e0c8254e9ebed612

Download Submit
C:\Users\Admin\AppData\Local\Temp\uraaz2snehz0dg

Filesize
212KB

MD5
49a6bb438a3c1f01095adf7dbbeeea27

SHA1
a46b35093b08cec2065f6e622790ba093d10f825

SHA256
baef02274fcd4d2a5a8a9caf3d8c14b7aa1e1ef97bca407f46c6077f99aa1199

SHA512
9b9eea79c65e8ec5169e5829e653a1dc0ec3671f799be0150aaadf072f5d68860c29bd4f766593551bc751436c9545f96718ec39d1f47fac01f84fdbc5cdeaf6

Download Submit
memory/4068-7-0x00000000004B0000-0x00000000004B2000-memory.dmp

Filesize
8KB

Download