38e4a29ab9f16e4fa94d66b4d4e8f43a24872da912a3bdbd341e0ef21616b576

Resubmissions

12-01-2025 13:59

250112-ran7waxpaj 10

12-01-2025 13:48

250112-q38asavke1 10

12-01-2025 13:44

250112-q114paxlan 10

12-01-2025 13:37

250112-qw2jnaxjcl 10

Analysis

max time kernel
119s
max time network
129s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-01-2025 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AxoPac/ASP.NET MVC 4/Packages/EntityFramework.5.0.0/tools/migrate.exe
Size

127KB
MD5

2e33b7b2f9ccc8d9819b5cff9b7df50d
SHA1

e8b56a75fbc3fb8066dc71814b8a3420b7c4141a
SHA256

741f083ba6be47568fdef19d1282e619b9ed075852233333e09c437643baefdd
SHA512

8189b564fb2206affdf3c05dfd2bb800c8df2174fb6accc7aac8a3502c5b9f83a86812293c7fd87c2b4e126a1f6bdc105f668e698347f8b25768129086df9679
SSDEEP

3072:sKUjmd6IFhYc8HrHZsHrZa6Igy5R6/8cpqZYEqb7d9zeG0pJ:sKUJIF2ZHrHZsHrZa6Igy5Re8cpqZYEP

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1892	1660	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	migrate.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1892	1660	migrate.exe	32
PID 1660 wrote to memory of 1892	1660	migrate.exe	32
PID 1660 wrote to memory of 1892	1660	migrate.exe	32
PID 1660 wrote to memory of 1892	1660	migrate.exe	32

C:\Users\Admin\AppData\Local\Temp\AxoPac\ASP.NET MVC 4\Packages\EntityFramework.5.0.0\tools\migrate.exe
"C:\Users\Admin\AppData\Local\Temp\AxoPac\ASP.NET MVC 4\Packages\EntityFramework.5.0.0\tools\migrate.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 568
  2⤵
  - Program crash
  PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1660-0-0x00000000749FE000-0x00000000749FF000-memory.dmp

Filesize
4KB

Download
memory/1660-1-0x00000000010F0000-0x0000000001114000-memory.dmp

Filesize
144KB

Download
memory/1660-2-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/1660-3-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download