b68c7b0dc7a0332119c733dd3882921ac9dd04e649bf16250552f5923ddab76e

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8fc9092bda462febd606eb7aa814bf92ea0f316fd05856cf8fa39a173ccf5dc.exe
Size

576KB
MD5

52dfa0efff6239c012df3aa4885738e9
SHA1

289abb9973ad604135eda9c233a0d4d8804d8b33
SHA256

d8fc9092bda462febd606eb7aa814bf92ea0f316fd05856cf8fa39a173ccf5dc
SHA512

c7d74fedfc0a30e91450b6b778c621567b9c14272c64e1489b6ce7e74c1fa997d414fb044f95cfdf230851246d298ee9b4d102b009093b46ee275309375b1818
SSDEEP

12288:HNlrrAUo+7LsgRhNYIIYwl+4RPf+02VZn6EBpbEXNoC7x7DRYWL4:HNl/A0cIHYIIrU4RPf+xH6mpgXNovb

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4524	kqxnamcagu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4644	4524	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8fc9092bda462febd606eb7aa814bf92ea0f316fd05856cf8fa39a173ccf5dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kqxnamcagu.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 4524	3176	d8fc9092bda462febd606eb7aa814bf92ea0f316fd05856cf8fa39a173ccf5dc.exe	82
PID 3176 wrote to memory of 4524	3176	d8fc9092bda462febd606eb7aa814bf92ea0f316fd05856cf8fa39a173ccf5dc.exe	82
PID 3176 wrote to memory of 4524	3176	d8fc9092bda462febd606eb7aa814bf92ea0f316fd05856cf8fa39a173ccf5dc.exe	82
PID 4524 wrote to memory of 2552	4524	kqxnamcagu.exe	84
PID 4524 wrote to memory of 2552	4524	kqxnamcagu.exe	84
PID 4524 wrote to memory of 2552	4524	kqxnamcagu.exe	84

C:\Users\Admin\AppData\Local\Temp\d8fc9092bda462febd606eb7aa814bf92ea0f316fd05856cf8fa39a173ccf5dc.exe
"C:\Users\Admin\AppData\Local\Temp\d8fc9092bda462febd606eb7aa814bf92ea0f316fd05856cf8fa39a173ccf5dc.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Users\Admin\AppData\Local\Temp\kqxnamcagu.exe
  C:\Users\Admin\AppData\Local\Temp\kqxnamcagu.exe C:\Users\Admin\AppData\Local\Temp\fytxembb
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\kqxnamcagu.exe
    C:\Users\Admin\AppData\Local\Temp\kqxnamcagu.exe C:\Users\Admin\AppData\Local\Temp\fytxembb
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 568
    3⤵
    - Program crash
    PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4524 -ip 4524
1⤵
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ckkbi3lpet02ueau

Filesize
541KB

MD5
e2c2d4997e328b7e911d99932744cfd3

SHA1
bf47fa31351c1a7f0debec5e7ace3cb7daabb922

SHA256
01d8b1d8bcf46f971f99db24bb4adfae1fbcebab6399297301198bedb3116899

SHA512
30e64de0f739cce222ee3a4ef58b1fb849cc1cb9208c12961333bd1a059cbacf421a7cdbebf302af356bad7b56af18e3e7125cc09e02d8ef6b9fd68001eef57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fytxembb

Filesize
4KB

MD5
ae58d4ffc7a3914c4eb564373ccfdd10

SHA1
ed0c770cdf7a6aff167680d9e84c8e12183af785

SHA256
79b593d3bd1747efc106b0a57c5afde3e345b4d7a06834ec734845f1eecb105e

SHA512
4c1892bdb18a4f942be9be753a90dc70a978133927d36d36f4626f99ef0c0dadf39d78a9d8aab99bc24d04ab0f93e6ffac1d6a5908ab98c4ecd07c2588cba464

Download Submit
C:\Users\Admin\AppData\Local\Temp\kqxnamcagu.exe

Filesize
65KB

MD5
633e7a3ed0d7a1e1e1404dc9117403b5

SHA1
c4bab081edcdf7964f2e9887240138df65ff9fe8

SHA256
def2b6e18e46018ecda8107b333f24c5fd3f58582d17eadde6d448889db5151e

SHA512
79b497b3ec5d11777d458f88ced2ae2dd41124385c479ac8a8cf9b48903f0c389f111b785e08980dce0f4e59ca1cdf3237c2ce409fe1b4237669de139eabc1b6

Download Submit
memory/4524-8-0x0000000000690000-0x0000000000692000-memory.dmp

Filesize
8KB

Download