30fb134992208f5e411d9586d20c4de6eaf18799a898c88ffbea4ae4584fb309

Analysis

max time kernel
94s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738.exe
Size

599KB
MD5

bb662e82e04ac3c7866cba446c15ccae
SHA1

1b90f8f280d5d90c771aa0afe393b29c4ab8e2c1
SHA256

c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738
SHA512

444aae4807df3be896177f1b039196387cdd9024b3f8051af7fb1ef9918ec7a9c9446c478f45f9fc8df2c0f6479807c68a612ef9e14ed521d615337efd4372d4
SSDEEP

12288:8oIzAxAjLyVG/QGlGwqC5/3z3P4I3xJRKY:EExM+8IGlThD33xjKY

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1212	ftmpfyzcha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4876	1212	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftmpfyzcha.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 1212	4128	c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738.exe	83
PID 4128 wrote to memory of 1212	4128	c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738.exe	83
PID 4128 wrote to memory of 1212	4128	c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738.exe	83
PID 1212 wrote to memory of 3920	1212	ftmpfyzcha.exe	84
PID 1212 wrote to memory of 3920	1212	ftmpfyzcha.exe	84
PID 1212 wrote to memory of 3920	1212	ftmpfyzcha.exe	84
PID 1212 wrote to memory of 3920	1212	ftmpfyzcha.exe	84

C:\Users\Admin\AppData\Local\Temp\c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738.exe
"C:\Users\Admin\AppData\Local\Temp\c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Users\Admin\AppData\Local\Temp\ftmpfyzcha.exe
  C:\Users\Admin\AppData\Local\Temp\ftmpfyzcha.exe C:\Users\Admin\AppData\Local\Temp\pljgbgh
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Users\Admin\AppData\Local\Temp\ftmpfyzcha.exe
    C:\Users\Admin\AppData\Local\Temp\ftmpfyzcha.exe C:\Users\Admin\AppData\Local\Temp\pljgbgh
    3⤵
    PID:3920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 432
    3⤵
    - Program crash
    PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1212 -ip 1212
1⤵
PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ftmpfyzcha.exe

Filesize
120KB

MD5
0b9c734942a35a6960bb3222a2aa3e47

SHA1
31edcd3b02af420e4b25a3eba0f77ea820d13e75

SHA256
f9ed31df479d80626e3834b0d9d11b5e2815b6704973736f324c055c99a6adcf

SHA512
e880062dd3de2a18566e47d279b67af82abf88d52380e55c8a43a20cae90f1f9b1a99bba67df40cc5d6578bb3729c43a8fd48d8fd8531c131d95a55cfc262c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\m8d9k2oc4ffztya

Filesize
462KB

MD5
2d288c29676ae66ffae121dab04e267d

SHA1
51cefe6b2715121794f990a4e5b0aec973140c68

SHA256
eae3e3166360095f851fc86e75e0362480e074f5eec018b162b2a9d0bcf056d8

SHA512
856d8af061031903d13578c7a80eed7823990dc6ed8b380bb28f27a170a1e189a9797a5f21bda325615e03291cb7612331c79b854d30d1d477608c85e340ea85

Download Submit
C:\Users\Admin\AppData\Local\Temp\pljgbgh

Filesize
4KB

MD5
74ee06cabba0d6e1675902e0af0ec31c

SHA1
6067f4c9666b63d10e9a65ab3ef585cb97f299d2

SHA256
264b82538bae28bde288f11d50801d5c721470c9e57e0355acf7ecd33bba26da

SHA512
c4514b0c028b5744965157fc15b9a777018934db938e92ca8e9dfe4473733671fdad200acd01f91c47d91be02faff334eb9ddbd61e5006b987a28922ef5ba39e

Download Submit
memory/1212-8-0x0000000000F90000-0x0000000000F92000-memory.dmp

Filesize
8KB

Download