Overview

overview

10

Static

static

3

PO#1120098.exe

windows7-x64

10

PO#1120098.exe

windows10-2004-x64

7

xyqsqa.exe

windows7-x64

3

xyqsqa.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    93s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2024 13:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO#1120098.exe

  • Size

    404KB

  • MD5

    87d4ee2c81b5fae355cad8d154907d7b

  • SHA1

    cb8fc5cfdf9b5f9202360f51f9cd1663177bb719

  • SHA256

    3fe13e6186755a24b331072e722fd65a60f1c40dea337e4f4e53640f083d26b3

  • SHA512

    9c43ec32b1dbb877eb8e51e0a6ab6135e9500d17c17bdaabc3390e0eb6218f66728d6ca40775252f38cedaad3f3555ec0b55afe328dbdf481e2a2d836ece338b

  • SSDEEP

    6144:yGiNSjUEBnA+hiVs8786nkn9eyOZxcyd5jJLMLtO1b3wvG:z1Al17899Gxc+pJLJ

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO#1120098.exe
    "C:\Users\Admin\AppData\Local\Temp\PO#1120098.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Users\Admin\AppData\Local\Temp\xyqsqa.exe
      C:\Users\Admin\AppData\Local\Temp\xyqsqa.exe C:\Users\Admin\AppData\Local\Temp\nbjlcjvmov
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\Users\Admin\AppData\Local\Temp\xyqsqa.exe
        C:\Users\Admin\AppData\Local\Temp\xyqsqa.exe C:\Users\Admin\AppData\Local\Temp\nbjlcjvmov
        3⤵
          PID:2952
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 636
          3⤵
          • Program crash
          PID:1624
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2904 -ip 2904
      1⤵
        PID:4812

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\nbjlcjvmov
        Filesize

        4KB

        MD5

        2b8b0a034e8fb4d57c0d164ba87e924a

        SHA1

        fbec290904da1bda280974cc94084f1b7ba298cb

        SHA256

        53afd5eccd6c60f9e8bea6fe031e3a4ecb14b000d5d53c56f1b4f8b73633f317

        SHA512

        19b91cab1eff4f8e8a5bdce7fc0269479594e743b9fde868696123669809bbb431169467767c5edf3a0f8049325dedd1563f3a53da8a1bc538516557b1df3728

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\t2i91mr3jl
        Filesize

        213KB

        MD5

        7b03b9ce6b0a3a2352a97acedcda24f2

        SHA1

        3b2b1935d0cccb4345359a2ed55cb0170a4de4bf

        SHA256

        0ef25fa1ab9fc1f4ce82d926cdd97974d531a8b0e3050befc6bcc6ca42620888

        SHA512

        6c124afabad14a532390f747e4f8a6be6460a362ee47eafe09488150170e54312ff6a6df4c474872ff217001bb911757b9777c60ef344d285e7d97ec58718069

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\xyqsqa.exe
        Filesize

        4KB

        MD5

        21703a2b69551aa3ce5465ae96181491

        SHA1

        6cb32673f3bf2eac1e9d6f7f21465d9b598b05ec

        SHA256

        094e08dcd36e68eff615e0e1aa4aa9d0525d5200b212af4ff89ff3b0c5dafdd4

        SHA512

        edece5ae3dad4d37192bae6d6bec301ce1e7faef181a93218a193ecd3e2e2c89fe2103ff4bd3f8a4f4b0c677b39db36d91586e981fb75826a5558d98f15cfc2e

        Download Submit

      • memory/2904-7-0x00000000005D0000-0x00000000005D2000-memory.dmp

        Filesize

        8KB

        Download