33bca0b7c35d92fe1dec4638d803349ca76a0f4b2a647efa49697edb77d2ae95

Analysis

max time kernel
108s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7zSCD97F9B7/61cf42db8e020_Fri179863c92d69.exe
Size

1.9MB
MD5

1a834bf6d259babbfb8f84a40c30cee2
SHA1

bac32a006f8451b5e5063e12dfc3a27c44dd79db
SHA256

1604a4cccddecd3d488d6ede5f4040b3cb95e5d76385cb0be30cb7f8e1a380b5
SHA512

9e4e5feafeaff5695486a226fe4b302a5b4ab484e4fb96de2bb2ffeebba8f65f782283994a6409a4d36005edbf810c94f6258c4118d7facda0273a85dc2afba1
SSDEEP

24576:YLeTtjJFtHrKCeZEnvjEgbnqpZamVkfj6eR0DNk4pbAZXY1pokix+8bdmS5:YLYkCcEbEMIZa5fMJkCQYwkirbMS5

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
37	1920	rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	61cf42db8e020_Fri179863c92d69.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
4332	e59207e.exe

Loads dropped DLL 4 IoCs

pid	Process
2204	rundll32.exe
2204	rundll32.exe
1920	rundll32.exe
1920	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
452	4332	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e59207e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61cf42db8e020_Fri179863c92d69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	61cf42db8e020_Fri179863c92d69.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 4980	4560	61cf42db8e020_Fri179863c92d69.exe	82
PID 4560 wrote to memory of 4980	4560	61cf42db8e020_Fri179863c92d69.exe	82
PID 4560 wrote to memory of 4980	4560	61cf42db8e020_Fri179863c92d69.exe	82
PID 4980 wrote to memory of 2204	4980	control.exe	84
PID 4980 wrote to memory of 2204	4980	control.exe	84
PID 4980 wrote to memory of 2204	4980	control.exe	84
PID 2204 wrote to memory of 3936	2204	rundll32.exe	93
PID 2204 wrote to memory of 3936	2204	rundll32.exe	93
PID 3936 wrote to memory of 1920	3936	RunDll32.exe	94
PID 3936 wrote to memory of 1920	3936	RunDll32.exe	94
PID 3936 wrote to memory of 1920	3936	RunDll32.exe	94
PID 1920 wrote to memory of 4332	1920	rundll32.exe	96
PID 1920 wrote to memory of 4332	1920	rundll32.exe	96
PID 1920 wrote to memory of 4332	1920	rundll32.exe	96

C:\Users\Admin\AppData\Local\Temp\7zSCD97F9B7\61cf42db8e020_Fri179863c92d69.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCD97F9B7\61cf42db8e020_Fri179863c92d69.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\mPPZNWRH.cPL",
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\mPPZNWRH.cPL",
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\mPPZNWRH.cPL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3936
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\mPPZNWRH.cPL",
        5⤵
        Blocklisted process makes network request
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1920
      - C:\Users\Admin\AppData\Local\Temp\e59207e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e59207e.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 808
        7⤵
        Program crash
        
        PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4332 -ip 4332
1⤵
PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e59207e.exe

Filesize
11KB

MD5
620bda3df817bff8deb38758d1dc668c

SHA1
9933523941851b42047f2b7a1324eb8daa8fb1ff

SHA256
b74d7ff45768a1ee6f267e895de3e46cca505edf205563ef3f7db827f38363b3

SHA512
bc9e932860f63090bab251057bc1fd6875c410c2358321eaa74fccc117561b91e4ce6b24d5e7bb13dc44732ae151b7c33fe201acbb5af689d7f2d248dfb8c568

Download Submit
memory/1920-44-0x000000002E6F0000-0x000000002E781000-memory.dmp

Filesize
580KB

Download
memory/1920-42-0x000000002E650000-0x000000002E6E6000-memory.dmp

Filesize
600KB

Download
memory/1920-36-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1920-40-0x0000000002530000-0x00000000025CD000-memory.dmp

Filesize
628KB

Download
memory/1920-34-0x0000000002530000-0x00000000025CD000-memory.dmp

Filesize
628KB

Download
memory/1920-49-0x00000000006D0000-0x00000000006D5000-memory.dmp

Filesize
20KB

Download
memory/1920-48-0x00000000006C0000-0x00000000006C3000-memory.dmp

Filesize
12KB

Download
memory/1920-46-0x000000002E6F0000-0x000000002E781000-memory.dmp

Filesize
580KB

Download
memory/1920-41-0x000000002D8C0000-0x000000002E646000-memory.dmp

Filesize
13.5MB

Download
memory/1920-29-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1920-30-0x000000002D800000-0x000000002D8B1000-memory.dmp

Filesize
708KB

Download
memory/1920-31-0x0000000002530000-0x00000000025CD000-memory.dmp

Filesize
628KB

Download
memory/2204-24-0x000000002E280000-0x000000002E311000-memory.dmp

Filesize
580KB

Download
memory/2204-23-0x000000002E1E0000-0x000000002E276000-memory.dmp

Filesize
600KB

Download
memory/2204-18-0x00000000024A0000-0x00000000034A0000-memory.dmp

Filesize
16.0MB

Download
memory/2204-72-0x0000000000410000-0x0000000000415000-memory.dmp

Filesize
20KB

Download
memory/2204-25-0x000000002E280000-0x000000002E311000-memory.dmp

Filesize
580KB

Download
memory/2204-12-0x00000000024A0000-0x00000000034A0000-memory.dmp

Filesize
16.0MB

Download
memory/2204-14-0x000000002D3B0000-0x000000002D44D000-memory.dmp

Filesize
628KB

Download
memory/2204-17-0x000000002D3B0000-0x000000002D44D000-memory.dmp

Filesize
628KB

Download
memory/2204-22-0x000000002D450000-0x000000002E1D6000-memory.dmp

Filesize
13.5MB

Download
memory/2204-13-0x000000002D2F0000-0x000000002D3A1000-memory.dmp

Filesize
708KB

Download
memory/2204-21-0x000000002D3B0000-0x000000002D44D000-memory.dmp

Filesize
628KB

Download
memory/2204-70-0x000000002E280000-0x000000002E311000-memory.dmp

Filesize
580KB

Download
memory/2204-71-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4332-67-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download