76de342da3c560312b0c1159b640949e342f994805ff962c2f95c73054913307

Analysis

max time kernel
95s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IRQ2207799_pdf.exe
Size

467KB
MD5

17a1bd2f314821d2554ff4f486bc763c
SHA1

34b75fa0336143dba8fc2cee895dbd0ffc5914ab
SHA256

d3173c18c350a7fa99867f3ef7c9bf5375a4e1ca7f5706c60d883cb17322491f
SHA512

d05cb5d8d192f78a721f4612830c186a08109c25ed0e6b26d94fee57b22575cd681e0a587ed5fac51a74ba5b670c297e5c880f713a2a138fcbdd58325e5ac1a9
SSDEEP

6144:uGi8Y9MXn1x7YZkDHY0Hi42gcmAdX2SdxWQQCJkVDOuiAQ/40aW5:4MX1x7YZkDHY0Hqm4gzC2Ou0aW5

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4992	ecflmkakn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3892	4992	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IRQ2207799_pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecflmkakn.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 4992	920	IRQ2207799_pdf.exe	82
PID 920 wrote to memory of 4992	920	IRQ2207799_pdf.exe	82
PID 920 wrote to memory of 4992	920	IRQ2207799_pdf.exe	82
PID 4992 wrote to memory of 4988	4992	ecflmkakn.exe	83
PID 4992 wrote to memory of 4988	4992	ecflmkakn.exe	83
PID 4992 wrote to memory of 4988	4992	ecflmkakn.exe	83
PID 4992 wrote to memory of 4988	4992	ecflmkakn.exe	83

C:\Users\Admin\AppData\Local\Temp\IRQ2207799_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\IRQ2207799_pdf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:920
- C:\Users\Admin\AppData\Local\Temp\ecflmkakn.exe
  C:\Users\Admin\AppData\Local\Temp\ecflmkakn.exe C:\Users\Admin\AppData\Local\Temp\bizrc
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\ecflmkakn.exe
    C:\Users\Admin\AppData\Local\Temp\ecflmkakn.exe C:\Users\Admin\AppData\Local\Temp\bizrc
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 556
    3⤵
    - Program crash
    PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4992 -ip 4992
1⤵
PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bizrc

Filesize
4KB

MD5
96a2151d64fe1482fb48dfde2233b734

SHA1
34596a44a935b2c3af3cfddcdbc3f42a19478df7

SHA256
d62e37a79b03d0218961d58a097085668079890264c4211de72008eda97c10d7

SHA512
991231efe7a1928725696155bfed4ea968a4cbf43fd6b0cc2117e8fade54133c3713cae0353c0ab6e9fd0010d78b64ed9a039ff46fe71ed8d11dca9cc5dc6d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecflmkakn.exe

Filesize
114KB

MD5
335f3448a8233ac59e61717a13dc5d9f

SHA1
e9ac4829c76470a6ea0b875d32d000c91a771354

SHA256
c0dec7d411b133eafdd7255c42cc81cd3b2febbee245ad61e40edc2408bddfa7

SHA512
f51f664b2ef1d94994473b659d106a95edb67bf4005a21faac30f364ce721921ae7fe79a704aee984cd6f812c0ab588be6e3ed3c9ba9de6daa260c7eab834815

Download Submit
C:\Users\Admin\AppData\Local\Temp\rnaocrblhyskjl

Filesize
212KB

MD5
29f4f3fb201838f3f6f5b2012b26a778

SHA1
bdc358339f559a48294b907ed863999843392b0f

SHA256
b30bc2794e8a2235304b6cff7a32d054f9cbc96a4877fec9e1221ba3fa3cd30d

SHA512
e206bd6a169182b9a96ab6738094fe5455f31a012552b27baca95f6051a4f3592c91d8cba6a24ff78c0c437651b8d1d51401af8cac40aba09280070683881630

Download Submit
memory/4992-7-0x0000000000C90000-0x0000000000C92000-memory.dmp

Filesize
8KB

Download