d90c8f08a6b5a82b6efdc12412194291256d8a7e9d7c82aca11f593153a4b669

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9443eaa7d2d6dcb3c7fc77200c340bdfb7acba3f77aecbb5d07c0f50b5e1ee0.exe
Size

248KB
MD5

60268126a7a5c0a03358e7acb155753d
SHA1

6aa7f8495a0498d437c0a1255d31e1f85a4045c6
SHA256

a9443eaa7d2d6dcb3c7fc77200c340bdfb7acba3f77aecbb5d07c0f50b5e1ee0
SHA512

51c376341b15a3355d5e9b427b15d6552a332d2b5fc5934e5705db55d1106b77898396291c4b56ca05c3e00e0479bcda61a6dd354e19d855717fa22a3cc56979
SSDEEP

6144:HNeZmabIvllTu8EWvbk9Xi7asfYqGcWsL6Rq8:HNla0vllTuWjSiWaWsLiq8

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3948	kruxx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1868	3948	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kruxx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9443eaa7d2d6dcb3c7fc77200c340bdfb7acba3f77aecbb5d07c0f50b5e1ee0.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 3948	4960	a9443eaa7d2d6dcb3c7fc77200c340bdfb7acba3f77aecbb5d07c0f50b5e1ee0.exe	83
PID 4960 wrote to memory of 3948	4960	a9443eaa7d2d6dcb3c7fc77200c340bdfb7acba3f77aecbb5d07c0f50b5e1ee0.exe	83
PID 4960 wrote to memory of 3948	4960	a9443eaa7d2d6dcb3c7fc77200c340bdfb7acba3f77aecbb5d07c0f50b5e1ee0.exe	83
PID 3948 wrote to memory of 3588	3948	kruxx.exe	84
PID 3948 wrote to memory of 3588	3948	kruxx.exe	84
PID 3948 wrote to memory of 3588	3948	kruxx.exe	84
PID 3948 wrote to memory of 3588	3948	kruxx.exe	84

C:\Users\Admin\AppData\Local\Temp\a9443eaa7d2d6dcb3c7fc77200c340bdfb7acba3f77aecbb5d07c0f50b5e1ee0.exe
"C:\Users\Admin\AppData\Local\Temp\a9443eaa7d2d6dcb3c7fc77200c340bdfb7acba3f77aecbb5d07c0f50b5e1ee0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Users\Admin\AppData\Local\Temp\kruxx.exe
  C:\Users\Admin\AppData\Local\Temp\kruxx.exe C:\Users\Admin\AppData\Local\Temp\ibrjgqmyl
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Users\Admin\AppData\Local\Temp\kruxx.exe
    C:\Users\Admin\AppData\Local\Temp\kruxx.exe C:\Users\Admin\AppData\Local\Temp\ibrjgqmyl
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 592
    3⤵
    - Program crash
    PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3948 -ip 3948
1⤵
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ibrjgqmyl

Filesize
5KB

MD5
45ed546858332c77218e12066a6029fa

SHA1
0858494aa6e52959811e57e8398614cc09c62153

SHA256
810fdd38959fcf9f3dba6ae58163cffb80078085d5d647a6929211d90cb7c873

SHA512
003533ccca626dadfa4c4486effac47eca3150e93aad8123c1ffb5c39363e5048238d42c9b4c910c1c588a21393473d76e5cb6ab420a8c0d7bf3e005ca2fcd9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kruxx.exe

Filesize
78KB

MD5
72cc5689ff61af5b6ce2ad9ab8e87695

SHA1
b30d786ff2e5ad9e916f188ecb463392e8ba75f6

SHA256
16e225b10cd5bc64956c75ac0fa201a37127badec00a33d9b4d5ad0b76e26198

SHA512
b3974b38475f39def30d4f9cadd4e6c3387f4296a75352bd88cc1f98f1adf9959eec06b1bf9d9f3dc4c0c14baf758ba9fcf8705ce3256a6487afb50afa26bf94

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyz7p5a4b3239vu443v

Filesize
184KB

MD5
c0d1a464617230b6629ebb9b91cd1505

SHA1
afa65713857e56caffa5fad7efb37df0f7596bbf

SHA256
58202640a0e3fe1c7bbf9ff4d3713bab99e4264ca358a369f4d8051a7a2adc17

SHA512
0641c5a98239e7ed1ccbe0d1cbdb5de390374f6752de350a9db8a0769119566db98e00912e7bd1fabb318859662f98f6def95c301a37ece1bf2b8fa4ea017e03

Download Submit
memory/3948-8-0x0000000000FC0000-0x0000000000FC2000-memory.dmp

Filesize
8KB

Download