1218c859c65e22d750a8c9c22df3d6555775b91a5ac797b85e70e3c123a78cff

Analysis

max time kernel
92s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c.exe
Size

434KB
MD5

f6666d2dc66bf27af205c487c6a017d5
SHA1

639246ec825c9353bb22842de1b9411e53be2f35
SHA256

c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c
SHA512

72bef879fb5e924078f7af3808f026ce587af4d0abdb60a84696eeb147c79a4b4d6cdfbb16286657a80ae42f9ffdac78f0d61aa869cfa2c9809795504085af4c
SSDEEP

6144:qGi4U177myi8hHrVAn7PuzIuctvYWKJFa/ft3a7CfzeE3Nw:R87c8xVy7GzxugPJM/ftECby

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
372	xzzepj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5032	372	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xzzepj.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 372	3764	c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c.exe	82
PID 3764 wrote to memory of 372	3764	c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c.exe	82
PID 3764 wrote to memory of 372	3764	c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c.exe	82
PID 372 wrote to memory of 4500	372	xzzepj.exe	83
PID 372 wrote to memory of 4500	372	xzzepj.exe	83
PID 372 wrote to memory of 4500	372	xzzepj.exe	83
PID 372 wrote to memory of 4500	372	xzzepj.exe	83

C:\Users\Admin\AppData\Local\Temp\c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c.exe
"C:\Users\Admin\AppData\Local\Temp\c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Users\Admin\AppData\Local\Temp\xzzepj.exe
  C:\Users\Admin\AppData\Local\Temp\xzzepj.exe C:\Users\Admin\AppData\Local\Temp\tqcey
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Users\Admin\AppData\Local\Temp\xzzepj.exe
    C:\Users\Admin\AppData\Local\Temp\xzzepj.exe C:\Users\Admin\AppData\Local\Temp\tqcey
    3⤵
    PID:4500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 372
    3⤵
    - Program crash
    PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 372 -ip 372
1⤵
PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tqcey

Filesize
5KB

MD5
fba283c3bab916f35797445394f795da

SHA1
c63a0ed77bbee8973b44e31ae206eef02474d425

SHA256
44ef39d2ef5a57f5dbdea050f8832219e6be19b621d67f401012a689b9d0f5df

SHA512
594cbc574682e6a2885bc724aed14625739ce3a408b4c38430b94c04fe157a8d3bbc29ba05ae8b21428b3c6d5dd1001397a09ba3ad7e563b177ab74665701625

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzzepj.exe

Filesize
56KB

MD5
0a4cb859a673483a1f5612365975a485

SHA1
24ae60a57e5a374944c30351d898b5c1fe508c38

SHA256
ab0d73765ac2310f6401074f9a7d16fb30e32c2b188cb47697d9e0fe0d3ae16c

SHA512
9756bc2676adc754502f9d290242d71f62ee456ba1420735f78fc514783e26bb97acba1ba74a7921930faba2c55551c14b62b34b54658ea8da4f02e60ab08563

Download Submit
C:\Users\Admin\AppData\Local\Temp\yg1039a0w95poxme

Filesize
212KB

MD5
5c9453fa9d71d302eae2b13c56a9cb3b

SHA1
40414d6c7f5e0c9e32c72b0f3c14039959b2a66a

SHA256
bddea1622085d80de6087e07a9d88db92b6edeed632afc220f98b91e76e3a6e1

SHA512
9d9eebf97a10476accef32cef9b33510f323e649433d8be3ece6a27936bf261da46ac1c42862ccdf66b955233a9accfc3bbe980b4e8eb6c919a1dc8605bb0663

Download Submit
memory/372-7-0x0000000000900000-0x0000000000902000-memory.dmp

Filesize
8KB

Download